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in call-by- value functional languages 
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Abstract This paper formalizes and proves correct a compilation scheme for mutually- 
recursive definitions in call-by-value functional languages. This scheme supports a wider 
range of recursive definitions than previous methods. We formalize our technique as a trans- 
lation scheme to a lambda-calculus featuring in-place update of memory blocks, and prove 
the translation to be correct. 
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1 Introduction 

1 . 1 The need for extended recursion 

Functional languages usually feature mutually recursive definition of values, for example via 
the letrec construct in Scheme, let rec in Caml, val rec and fun in Standard ML, or 
recursive equations in Haskell. Beyond syntax, functional languages differ also in the kind of 
expressions they support as right-hand sides of mutually recursive definitions. For instance, 
Haskell [25] allows arbitrary expressions as right-hand sides of recursive definitions, while 
Standard ML [22] only allows syntactic A-abstractions, and OCaml [21] allows both X- 
abstractions and limited forms of constructor applications. 

The range of allowed right-hand sides crucially depends on the evaluation strategy of the 
language. Call-by-name or lazy languages such as Haskell naturally implement arbitrary re- 
cursive definitions: the on-demand unwinding of the recursive definition performed by lazy 
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evaluation correctly reaches the fixed point when it exists, or diverges when the recursive 
definition is ill-founded, as in x = x + 1. For call-by- value languages, ill-founded definitions 
are more problematic: during the evaluation of x = x + 1, the right-hand side x+1 must be 
evaluated while the value of x is still unknown. There is no strict call-by-value strategy that 
allows this. Thus, such ill-founded definitions must be rejected, statically or dynamically. 

The simplest way to rule out ill-founded definitions and ensure call-by-value evalua- 
bility is to syntactically restrict the right-hand sides of recursive definitions to be function 
abstractions, as ML does. Such a restriction also enables efficient compilation of the recur- 
sive definitions, for instance using the compilation scheme described by Appel [1]. While 
generally acceptable for direct programming in ML, this restriction can be problematic when 
we wish to encode higher-level constructs such as objects, classes, recursive modules and 
mixin modules. For instance, Boudol [3] uses definitions of the shape x = c x (where c is a 
variable) in his recursive record semantics of objects. Similarly, Hirschowitz and Leroy [14] 
use mutually-dependent sets of such definitions for representing mixin modules. Putting 
these works into practice requires the definition of an efficient, call-by-value intermediate 
language supporting such non-standard recursive definitions. This definition is the topic of 
the present article. 



1.2 From backpatching to immediate in-place update 

Backpatching of reference cells A famous example of a call-by-value language that does 
not statically restrict the right-hand sides of recursive definitions is Scheme [17]. The op- 
erational semantics of the letrec construct of Scheme is known as the backpatching se- 
mantics'. It is illustrated in Figure 1. Consider two mutually-dependent definitions xi = e\ 
and X2 = ^2- First, a reference cell is assigned to each recursive variable, and initialized to 
some dummy value undefined (represented by • in Figure 1). Then, the right-hand sides are 
evaluated, building data structures that possibly include the reference cells, to obtain some 
values vi and V2. Until this point, any attempt to dereference the cells is a run-time error 
Finally, the reference cells are updated with vi and V2, and the definitions can be considered 
fully evaluated. 

The backpatching scheme leaves some flexibility as to when the reference cells botmd to 
recursively-defined variables are dereferenced. In Scheme, every occurrence of these vari- 
ables that is evaluated in the lexical scope of the letrec binding causes an immediate deref- 
erence. Boudol and Zimmer [4] propose a compilation scheme for a call-by-value A -calculus 
with unrestricted mutually reciu'sive definitions where the dereferencing is further delayed 
because arguments to functions are passed by reference rather than by value. The difference 
is best illustrated on the definition x = (Xy.Xz.if z = then 1 else y {z — I)) x. In Scheme, 
it compiles down to the following intermediate code (written in ML-style notation) 

letx = ref undefined in 

X : = [Xy.Xz.if Z = then 1 else y (z — 1)) \x 

and therefore fails at nm-time because the reference x is accessed at a time when it still 
contains undefined. In Boudol and Zimmer's compilation scheme, the y parameter is passed 



The immediate in-pluee update compilation scheme studied in this paper also uses a kind of backpatch- 
ing, but we only use ''backpatching" to refer to the schemes described in this section, i.e., to abbreviate 
"backpatching of reference cells". 
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1. Initialization: 




2. Computation: 




3. Reference update: 




Fig. 1 The backpatching scheme 

by reference, resulting in tlie following compiled code: 

let X = ret undefined in 

X := {Xy.Xz-if Z = then 1 else \y (z— l))x 

Here, x is passed as a function argument without being dereferenced, therefore ensuring that 
the recursive definition evaluates correctly. The downside is that the recursive call to y has 
now to be preceded by a dereferencing of y. 

In summary, the backpatching semantics featured in Scheme enables a wider range of re- 
cursive definitions to be evaluated under a call-by-value regime than the syntactic restriction 
of ML. This range is even wider in Boudol and Zinmier's variant [4]. In both cases, a draw- 
back of this approach is that, in general, recursive calls to a recursively-defined function 
must go through one additional indirection. For well-founded definitions, this indirection 
seems superfluous, since no further update of the reference cells is needed. Scheme com- 
pilers optimize this indirection away in some cases, typically when the right-hand sides are 
syntactic functions; but removing it in all cases requires alternative approaches, which we 
now describe. 

In-place update The in-place update scheme [6] is a variant of the backpatching implemen- 
tation of recursive definitions that avoids the additional indirection just mentioned. It is used 
in the OCaml compilers [21]. 
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1. Pre-allocation: 

X\ I » I » I X2 I » I 

2. Computation: 




3. In-place update: 




Fig. 2 The in-place update sclieme 



The in-place update scheme implements mutually recursive definitions that satisfy the 
following two conditions. For a mutually recursive definition X[ = e\.. . . ,a„ = «„, first, the 
value of each definition should be represented at run-time by a heap allocated block of 
statically predictable size; second, for each i, the computation of e, should not need the 
value of any of the definitions ej, but only their names Xj. As an example of the second 
condition, the recursive definition / = Ajc. (.../...) is accepted, since the computation of the 
right-hand side does not need the value of /. We say that it weakly depends on /. In contrast, 
the recursive definition f={fO) is rejected. We say that the right-hand side strongly depends 
on /. Several techniques to check this condition have been proposed [3, 14, 12,8]. 

The evaluation of a set of mutually recursive definitions with in-place update consists of 
three steps. First, for each definition, allocate an uninitialized block of the expected size, and 
bind it to the recursively-defined identifier. Those blocks are called dummy blocks, and this 
step is called the pre-allocation step. Second, compute the right-hand sides of the definitions. 
Recursively-defined identifiers thus refer to the corresponding dummy blocks. Owing to the 
second condition, no attempt is made to access the contents of the dummy blocks. This step 
leads, for each definition, to a block of the expected size. Third, update the dummy blocks in 
place with the contents of the computed blocks. (Alternatively, the second step could store 
directly its results in the dummy blocks. However, this would require a special evaluation 
scheme for right-hand sides of recursive definitions whereas, here, they are evaluated just 
like any other expression.) 

For example, consider a mutually recursive definition xi = ei,X2 = e2, where it is stati- 
cally predictable that the values of the expressions ei and e2 will be represented at runtime 
by heap-allocated blocks of sizes 2 and 1, respectively. Here is what the compiled code 
does, as depicted in Figure 2. First, it allocates two uninitialized heap blocks, at addresses £i 
and £2, of respective sizes 2 and 1. Then, it computes ei, where xi and X2 are bound to £1 
and £2, respectively. The result is a heap block of size 2, possibly containing references to £1 
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and 12- The same process is carried on for €2, resulting in a heap block of size 1. The third 
and final step copies the contents of the two obtained blocks to i\ and i2, respectively, then 
garbage-collects the useless blocks. The result is that the two initially dummy blocks now 
contain the proper cyclic data structures, without the indirection inherent in the backpatching 
semantics. 

Immediate in-place update The scheme described above computes all definitions in se- 
quence, and only then updates the dummy blocks in place. From the example above, it 
seems quite clear that in-place update for a definition could be done as soon as its value is 
available. Such an improvement has been proposed for the backpatching semantics [31], and 
we merely adapt it to our setting here. We call this method the immediate in-place update 
scheme and concentrate on it in the remainder of this paper. 

As long as definitions weakly depend on each other, as happens with functions for in- 
stance, both schemes behave identically. Nevertheless, in the case where 62 strongly depends 
on xi, for example if £2 = f st(xi) + 1, the original scheme can go wrong. Indeed, the con- 
tents of l\ are still undefined when e2 is computed. Instead, with immediate in-place update, 
the value vi is already available when computing 62- This trivial modification to the scheme 
thus increases the expressive power of mutually recursive definitions. It allows definitions to 
de-structure the values of previous definitions. Furthermore, it allows some of the mutually- 
recursive definitions to have statically unknown sizes, as shown by the following example. 

An example of execution is presented in Figure 3. The defiiution is x\ = ei,X2 = e2,X3 = 
£3, where ei and 63 are expected to evaluate to blocks of sizes 2 and 1, respectively, but 
where the representation for the value of 62 is not statically predictable. The pre-allocation 
step allocates dummy blocks for xi and JC3 only. The value vi of ei is then computed. It can 
reference x\ and X3, which correspond to pointers to the dunmiy blocks, but not X2, which 
would not make any sense here. This value is copied to the corresponding dummy block. 
Then, the value V2 of 62 is computed. The computation can refer to both dummy blocks, and 
can also strongly depend on x\, but not on X2. Finally, the value V3 of 63 is computed and 
copied to the corresponding dummy block. 

The immediate in-place update scheme implements more definitions than the original in- 
place update scheme. In fact, it implements arbitrary non-recursive definitions, thus allowing 
to merge the traditionally distinct constructs let and let rec. 

Restrictions imposed on the source language What are the restrictions put on recursive defi- 
nitions in the source language if we are to compile them with the immediate in-place update 
scheme? We adopt the following sufficient conditions. First, the values of forward refer- 
enced definitions must be represented by heap-allocated blocks. Second, the sizes of these 
blocks must be known statically. Third, the contents of these blocks should not be accessed 
before they have been updated with proper values. These restrictions are highly dependent 
on the data representation strategy implemented by the compiler. The second restriction also 
depends on how expected sizes are computed at compile-time, which entails a static anal- 
ysis that is necessarily conservative. For instance, Hirschowitz [12] derives the sizes from 
the static types of the right-hand sides of recursive definitions, while the OCaml compiler 
proceeds by syntactic inspection of the shapes of the right-hand sides. More sophisticated 
static analyses, such as 0-CFA [29] or enriched type systems, could also be used. 

In this article, we abstract over these compiler-dependent issues as follows. We define 
a source language where each recursive definition is annotated by the expected size of the 
representation of the right-hand side, if known. These annotations reflect the result of a prior 
size analysis of the kind mentioned earlier. Both our source and target languages feature a 
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1. Pre-allocation: 

1*1*1 -^3 r*~i 

2. Computation of ei: 




3. Update of xi with vi : 




4. Computation of €2 and binding of its value to X2: 




Fig. 3 The immediate in-place update scheme 



notion of size, which we only assume to be preserved by the translation (Hypothesis 17) and 
satisfy a few natural requirements (Hypotheses 1 and 10). 

1.3 Summary of contributions 

The contributions of this article are threefold. First, we introduce and formalize a call-by- 
value functional language called Ao, featuring an extended recursion construct that is not 

restricted to A -abstractions as right-hand sides of recursive definitions, but also supports 
recursive definitions of data structures {x = cons 1 x) and of fixed points of certain higher- 
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order functions {x = f x). This recursion construct subsumes botli the standard recursive and 
non-recursive value binding constructs let and let rec, and is compilable by immediate 
in-place update. 

Second, we provide the first formalization of the in-place update implementation 
scheme. It is formalized as a translation from Xo to a target language Aa that does not feature 
recursive definitions, but instead explicitly manipulates a heap via allocation and update 
operations. This language is designed to closely match the Lambda intermediate languages 
used by the OCaml compiler [21], attesting that it can be implemented efficiently. 

Third, we prove that the evaluation of any Ao expression is correctly simulated by its 
translation. This is the first formal correctness proof for the in-place update scheme. 

The remainder of this paper is organized as follows. In Section 2, we formalize the 
source language Ao- Section 3 defines the target language Aa- We define the compilation 
scheme from Ao to Aa in Section 4, and prove its correctness in Section 5. Finally, we discuss 
related work in Section 6 and conclusions and future work in Section 7. 



2 The source language Ao 

2.1 Notations 

Given two sets A and B,A#B means that A and B are disjoint, ^(A) denotes the set of all 
subsets of A, and |A| denotes the cardinal of A. 

For all sets A and B and functions f : A —> B, dom(/) denotes the domain A of /, and 
cod (/) denotes its codomain B. Moreover, f\p denotes / restricted to A \ C. We also write 
f{a b) for the unique function /' : (A U {a}) — > {B\j{b}) such that /'(a) = b and for all 
a' 6 A \ {a}, f'{a') = f{a'). Moreover, for all functions /i : Ai ^ Bi and fi'.A^^ B^, if 
A\ # A2, then f\ + f2 denotes the union of f\ and /i as graphs. 

For any syntactic entity ranged over by a meta variable X, with variables ranged over by 
X, the notation [xi^X\,.. .,x„i-^X„] (for n > 1 ) denotes a substitution function o that maps 
Xi to Xi for 1 < ! < w, and maps all other variables to themselves. The identity substitution 
is written id. The application of a substitution to a syntactic entity with bindings must use 
standard techniques to avoid variable capture. The domain of this substitution is the set of all 
variables, and its support supp(cT) is {x | x ^ (^{x)}- Substitutions are required to have finite 
support. Accordingly, the cosupport is defined by cosupp(CT) = {(7(x) | x £ supp(a)}. For 
all substitutions CTi and CT2, if supp(CTi) # supp((j2)> we define their disjoint union cJi -|- 02 by 
(<7i -l-<72)(x) = <7i(x) for all X G supp(<7i), (<7i -l-<72)(x) = (72 (x) for all X G supp(<72), and 
(cti -|- 02){x) = X for all x ^ (supp(CTi) l+l supp(CT2)). (This overloads the previous notation 
/i +/2 for functions with disjoint domains.) For all substitutions CJi and CJ2, we write C7i {02) 
for the unique substitution of support supp(<72) such that for all x G supp(o2), <7i(o2) W = 
0\ (cr2(x)). It is in general different from the composition CTi o 02, since if x G supp(<7i) \ 
supp(c72), (ci o (72) W = O'i(x), whereas (c7i(c72))(x) =x. 



2.2 Syntax 

The syntax of Ao is defined in Figure 4. The meta-variables X and x range over names and 
variables, respectively. Variables are used in binders, as usual. Names are used for labeling 
record fields. The metavariables for other syntactic entities are in lowercase, in order to ease 
the distinction with the metavariables for syntactic entities of the target language (Section 3), 
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Variable: 
Name: 



X 6 vars 
X e names 



Expression: 



e G expr 



:= X I Xx.e I ei 62 A-calculus 

I {r} I e.Z Record operations 

I rec in e Recursive definitions 



Record row: 
Binding: 



b 



r 




Size indication: 



o 



(n a natural number) 



Fig. 4 Syntax of 



FV(x) 
FV(<;i ez) 



{4 

FV(ei)UFV(e7) 
FV(.) 
U WUFVW 



FV(Ax.<;) =FV(e)\{x} 

FV({r» = FV(r) 

FV(rec in e) = (FV(fo) U FV(e)) \ dom(6) 

FV(r) ={r(X) |X€dom(r)} 



FV(<;.X) 
FV(fc) 



Fig. 5 Free variables in Xo 

which will be in upper case. The syntax includes the A-calculus: variable x, abstraction 
Xx.e, and application ei 62- The language also features records, record selection e.X and 
a binding construct written rec. By convention, the rec construct has lowest precedence, 
so that for instance rec b in e\ means rec b in(e| ej). In a rec ine expression, e is 
called the body. To simplify the formalization and without loss of expressiveness, records 
are restricted to contain only variables, i.e., be of the shape {Xi = , . . . ,X„ = x„}. Bindings 
b have the shape oj ei , . . . ,x„ o„ e„, where arbitrary expressions are syntactically allowed 
as the right-hand sides of definitions, and every definition is annotated with a size indication 
o. A size indication can be either the unknown size indication =[7] , or a known size indication 
=[„] , where n is a natural number. We write £ for the empty binding. 

Implicit syntactic constraints In what follows, we implicitly restrict ourselves to record 
rows, bindings and expressions satisfying the following conditions: 

1. Record rows do not define the same name twice; 

2. Bindings do not define the same variable twice; 

3. Bindings do not contain forward references to definitions of unknown size, in the sense 

made precise next. 

The free variables FV(e) of expressions, bindings, and record rows are defined induc- 
tively by the rules in Figure 5. In a rec binding b= {x\ 0\ e\, . . . ,x„o„ e„), we say that there 
is a forward reference of to xj if i < j and xj 6 FV(e,). Condition 3 requires that for all 
bindings b and forward reference of Xi to Xj in b, the size indication Oj is =[„] for some n. This 
is consistent with the immediate in-place update scheme, where no blocks are pre-aUocated 
for definitions of unknown size, so previous definitions must not refer to them. 

Finally, taking advantage of conditions 1 and 2 above, we implicitly view record rows 
as finite functions from names to variables and bindings as finite functions from variables 
to expressions, and use standard notations for domain, codomain, application, etc. Also, 
we write ri , r2 for the concatenation of r\ and ri, and similarly for bindings. Finally, we 
implicitly view records and bindings as sets of pairs {X,x) (resp. of triples {x,o,e)), for 
example to write {X = x) E r (resp. {xoe) e b). 
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Value: 



V 6 values 



:= X I Xx.e I {r} 



Answer: 



a 6 answers 



:= V I rec i)v inv 



Size-respecting binding: 



:= e 

I x=p]V,bs, 



where size(v) = n 



Fig. 6 Values and snswcrs in Ao 

Structural equivalence We consider expressions equivalent up to a-conversion^, i.e., re- 
naming of bound variables, in functions and rec expressions. In the following, to avoid 
ambiguity, we call raw expressions not considered up to a-conversion. Let = denote equal- 
ity of raw expressions and = denote equality modulo a conversion. 

2.3 Dynamic semantics 

We now define the dynamic semantics of Ao. Figure 6 defines Ao values to be variables, 
functions, and records. 

2.3.1 Overview: sizes and recursive definitions 

We have seen that rec-bound definitions can be annotated with natural numbers representing 
their sizes. The role of these size indications is to declare in advance the expected sizes of 
the memory blocks representing the values of definitions. Technically, they will be required 
to match the size of allocated blocks in the sense of our target calculus. For definitions that 
are not forward-referenced from previous definitions, there is no need for annotations. 

In Ao, during the evaluation of a binding, if the currently evaluated definition is expected 
to have size n, then it must evaluate to a non-variable value whose size equals n. Otherwise, 
evaluation gets stuck. 

Hypothesis 1 ( Size in Xo ) We assume given a partial function size from Ao values to natural 
numbers, defined exactly on values\vars. 

An evaluated definition not matching its size indication is considered an error, in the 
sense that it prevents further reductions. Thus, only size-respecting bindings b^, as defined 
in Figure 6, are considered fully evaluated. 

Note that size-respecting bindings define only values. The intuition is that, given a def- 
inition (x =|„] e), this forces the topmost block of the value of e to be determined by pre- 
vious definitions. For instance, suppose that size({X =x>) = n. Then, the binding {y =[„] 
{X = x},z =[„] y) is not fully evaluated, but we will see below that it evaluates correctly to 
(y =[n] ■C^ = xy,z =i„] iX = x}). On the contrary, the binding (z =[„] y.y =[„] iX = x}) is in- 
valid: y can not be replaced with its value, according to the reduction relation defined below. 
(Such a reduction step could not be implemented by immediate in-place update as depicted 
in Figure 3.) 

Besides the non-standard notion of size, the dynamic semantics of Ao is unusual in its 
handling of mutually recursive definitions, which is adapted from the equational theory of 



- The notion of structural equivalence could include reordering of record fields, but we do not need it, so 
we just consider a-equivalence. 
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Ariola and Blom [2]. There is no rule for eliminating rec: evaluated bindings remain at top- 
level in the expression and also in evaluation answers, as defined in Figure 6. This top-level 
binding serves as a kind of heap or recursive evaluation environment. An answer a is defined 
to be a value, possibly surrounded by an evaluated, size-respecting binding. It thus may have 
the shape rec by in v. 

The dynamic semantics of rec relies on five fundamental equations, which resemble 
the rules used by Wright and Felleisen [32]. We start with an informal presentation of these 
equations using contexts C, i.e., terms with a hole □. Context application C[e] is textual, 
possibly capturing replacement of □ with e in C. The rules rely on additional conditions 
defined later to (1) avoid variable captures and (2) enforce the reduction strategy of the 
language, but are roughly as follows. 

1. The first equation is lifting. It lifts a rec node up one level in an expression. An expres- 
sion of the shape ei (rec b in 62) is equated with rec b in (ei 62)- 

2. The second equation is internal merging. In a binding, when one of the definitions starts 
with another binding, then this binding can be merged with the enclosing one. An ex- 
pression of the shape rec b\,x = (rec Z?2 in ei),^3 in ^2 is equated with rec bi,b2,x = 
ei,b3 in £2. 

3. The third equation is external merging, which merges two consecutive bindings. An 
expression of the shape rec bi in rec ^2 in e is equated with rec b\ , b2 in e. 

4. The fourth equation, external substitution, replaces variables defined in an enclos- 
ing binding with their definitions. Given a context C, an expression of the shape 
rec b in C[x] is equated with recfcinC[e], if ;c = e appears in b. 

5. The last equation, internal substitution, replaces variables defined in the same bind- 
ing with their definitions. Given a context C, an expression of the shape rec h\,y = 
C[x],b2 in ei is equated with rec Z?! ,y = C[e2],fe inei if x = e2 appears inbi,y = C[x],b2- 
The issue is how to arrange these operations to make the evaluation deterministic and to 

ensure that it reaches the answer when it exists. Our choice can be summarized as follows. 
First, bindings that are not at top-level in the expression must be lifted before their evaluation 
can begin. Thus, only the top-level binding can be evaluated. As soon as one of its definitions 
gets evaluated, evaluation can proceed with the next one, or with the body if there is no 
definition left. If evaluation encounters a binding inside the considered expression, then this 
binding is lifted up to the top level of the expression, or just before the top-level binding if 
there is one. In this case, it is merged with the latter, internally or externally, according to the 
context. External substitution is used to replace a variable in dereferencing position (like x in 
x.X or X V, see the precise definition of dereferencing contexts below) with its value, fetched 
from the top-level binding. Internal substitution is used similarly, but inside the top-level 
binding, and only from left to right (i.e., when the copied definition comes from the left of 
the current evaluation point). 

Remark 2 (Policy on substitution and call-by-value) The substitution rules only replace one 
occurrence of a variable at a time, which has to be in destructive position. This strategy 
w.r.t. substitution, called destruct-time by Sewell et al [28], does not contradict the fact 
that Ao is call-by-value. Indeed, only values are copied, and any expression reached by the 
evaluation is immediately evaluated. The fact that evaluated definitions are not immediately 
substituted with their values in the rest of the expression is rather a matter of presentation. 
Notably, this presentation allows Xo to properly represent recursive data structures, as shown 
in Section 2.4 and Figure 14. 

To implement our strategy, we remark that evaluation should not be the same at top- 
level and inside an evaluation context. For example, consider e = ((rec x =[7] eo in xy) z). 
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Lift context: 

L ::= e □ I □ V I n.X 
Nested lift context: 

F ::= □ |eF|Fv|F.X' 
Evaluation context: 
E ::= F 

I rec fev in F 

I rec bv,xo¥,b ine 



Fig. 7 Evaluation contexts of Ao 
Alpha equivalence: 



e F = e' F 

by =bj b = y 



F V = F v' 



(rec bM,xo'V,b in e) = (rec bj ,xo¥,b' in e ) 

Free variables: FV(D) - 
FV(e F) 
FV(F v) 
FV(F.X-) 
FV(rec fe„ in F) 
FV(rec by,xoW,b ine) 



Binding context: 
Bo ::= b^,xoa,b 
Nested dereferencing context: 
A ::= □ V I U.X 
I e A I A V I A.X 
Dereferencing context: 
D ::= A 

I rec i>„ in A 

I rec i>v,^o A, in e 

I rec B=, , in e 



bsi = bj 
rec fo„ in F = rec bj in F 

F = F' e = (: 



E[F] = E[F'] 



(bi,xoe,b2) = (bi,xoe',b2) 



= 

= FV(e)UFV(F) 
= FV(F)UFV(v) 
= FV(F) 

= FV(«>„)UFV(F) 
= {x} U F\/{b^,b) U FV(F) U FV(e) 



Captured variables: Captn (rec fe„ in F) = dom(fe„) 

CaptQ (rec by,xoW,b in e) = {j:}Udom(fe„,i)) 
Captn (F) =0 



Fig. 8 Structural equivalence of Xo evaluation contexts 



where eo reduces to e\ . According to the informal specification above, before the evaluation 
of eo can start, the binding should first be lifted to the top level to obtain e' = (rec x =[?] 
eo in (;c y z) ) . So, our reduction relation should not respect the usual rule saying that for any 
eo and ei, if eo — > e\, then E[eo] — * IE[ei] for any evaluation context E. This leads us to 
define two relations: the subreduction relation handling reductions inside expressions, 
and the reduction relation — >, handling top-level reductions. We write (resp. -^*) for 
the transitive (resp. transitive reflexive) closure of the relation and similarly for — >. 

2.3.2 The subreduction relation 

First, we define subreduction in Figure 9, using notions defined in Figures 7 and 8. It is first 
defined on raw expressions, then lifted to a-equivalence classes of expressions by the usual 
rule 



ei = e\ e'l e'2 ^2 = ^2 
ci e2 

Record projection selects the appropriate field in the record (rule ProjecTo). The ap- 
plication of a function Ajc.e to a value v reduces to the body of the function where the 
argument has been rec-bound to x (rule BetAq). Rule LifTq describes how bindings are 
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Subreduction rules (^) 



FV(v) 

{r}.X-»r(Z) (PROJECTo) ^ ^ ^-^ (BetAo) 

(Ax.e) V ^ rec X =[7] V in e 

dom(W#FV(L) 

(LiFTo) 



L[rec 6 in e] rec b in L[e] 
Reduction rules ( — >) 



e e 

-pr (CONTEXTo) 



EH — > E[e'] 
dom(/)i) # ({x} U FV(fc„,fc2) U FV(e')) 



(rec i>v,xo (rec iii ine),i)2 ine') — > (rec bv,bi,x o e,b2 in e') 
dom(fo) # FV(Z;„) 



(rec i)„ in rec i) in e) — > rec i)„,6 in e 
Fig. 9 Dynamic semantics of Ao 



(EMo) D[x] — > lD)[lD)(x)] (SUBSTo) 



lifted up to the top of the term. Lift contexts L are defined in Figure 7. Rule LifTq states that 
an expression of the shape L[rec b in e] subreduces to rec b in L[e], provided no variable 
capture occurs. Alpha-equivalence is defined over contexts as follows: all variables may be 
a-renamed, except those that have □ in their scope. More formally, a-equivalence for eval- 
uation contexts is the smallest equivalence relation over evaluation contexts respecting the 
rules in Figure 8. In the same figure, we define the captured variables Capt^ (E) of an evalu- 
ation context E, and the free variables of an evaluation context. We have Capt^ (E) C FV(E) 
for all E. 

Remarks (Evaluation order) Function applications are evaluated from right to left. This 
nonstandard choice is explained in Remark 11, in light of the semantics of the target lan- 
guage Aa. The results of the paper can be adapted to a left-to-right evaluation setting with 
some additional work. 



2.3.3 The reduction relation 

The reduction relation is defined in Figure 9. It is first defined on raw expressions, then lifted 
to a-equivalence classes of expressions by the usual rule 

e\ = e'l e'l — > 62 ^2 — ^2 

ei > 62 

Rule CoNTEXTo extends the subreduction relation (as a relation over raw expressions) 
to any evaluation context. As defined in Figure 7, we call a nested lift context F a series of lift 
contexts. Moreover, we call a binding context of size o a binding {bv,xo 0,b) where the 
context hole □ corresponds to the next definition to be evaluated, and this definition is an- 
notated by o. An evaluation context E is a nested lift context, possibly appearing as the next 
definition to evaluate in the top-level binding, or enclosed inside a fully evaluated top-level 
binding. Our unusual, staged formulation of evaluation contexts enforces the determinism 
of the reduction relation w.r.t. bindings: evaluation never takes place inside or after a bind- 
ing, except the top-level one. Other bindings inside the expression first have to be lifted to 
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the top by rule LiFTo, then be merged with the top-level binding, if any, by rules EMo and 
IMo (respectively for external and internal merging). If the top-level binding is of the shape 
b^.xo (rec b\ in e),Z>2, rule IMo allows to merge fci with it, obtaining i>v,i»i,:«:oe,i>2- When 
an inner binding has been lifted to the top level, if there is already a top-level binding, then 
the two bindings are merged together by rule EMo. This implements the strategy informally 
described above. 

Finally, rule SubsTq describe how the variables defined by the top-level binding are 
replaced with their values when needed, i.e., when they appear in a dereferencing context, as 
defined in Figure 7. Dereferencing contexts may take two forms. First, they can be binding 
contexts of known size rec Z?v, n,^ in e. In the immediate in-place update compilation 
scheme, any definition of known size yields an allocation of a dummy block, which has to 
be updated. This is reflected here by requiring that in definitions of the shape [x =[„] y), y be 
eventually replaced with a non-variable value of size n. Dereferencing contexts can also be 
nested dereferencing contexts, i.e., function applications n v or record field selection n.X, 
wrapped by an evaluation context, as defined in Figure 7. Therefore, in Ao, the value of a 
variable is copied only when needed for function application or record selection (or in-place 
update, implicitly). The value of a variable x is found in the current evaluation context, as 
formalized by the following notion of access in evaluation contexts. 

Definition 4 Define Binding(F) = e 

Binding(rec in F) = 
Binding(rec ^?v,-^oIF,^? ine) =by, 

The value E(x) of x in E is (Binding(E))(x), when the latter is defined. 

Lemma 5 (Determinism of evaluation) The — > relation is deterministic. 

Proof We prove the result for raw expressions first, and then extend it to a-equivalence 
classes. First, subreduction is obviously deterministic, on raw expressions as well as on a- 
equivalence classes. Furthermore, both on raw expressions and on a-equivalence classes, 
the reduction rules do not overlap, so we only have to prove that each rule is deterministic. 

First consider the case of raw expressions. For all evaluation contexts E] ,E2 and subre- 
duction redexes e\ and e2, if Ei [ei] = E2[e2], we show that Ei = E2. This is shown in three 
steps: for lift contexts (by case analysis), nested lift contexts (by induction), and evaluation 
contexts (by case analysis). Hence, rule ContexTo is deterministic. Similarly, rule SubsTo 
is deterministic. 

Consider now the case of a-equivalence classes. Let a renaming p be a substitution 
function (as defined in Section 2.1) from variables to variables, and letp{e) denote capture- 
avoiding substitution in the usual sense. For all evaluation contexts Ei,E2 and sub re- 
duction redexes e\ and 62, if Ejei] = E2[e2], then there exists a renaming p, such that 
supp(p) C Captn (El) and p(Ei) = E2 and p(ei) = ei. This entails that rule CONTEXTo is 
deterministic. We proceed similarly for rule SubsTo. □ 

Definition 6 (Faulty Xa expression) h faulty Xo expression is an expression whose reduction 
gets stuck on an expression that is not an answer. By determinism, a non-faulty expression 
is an expression whose evaluation either does not terminate or reaches an answer. 

We now characterize faulty expressions, using the following notion of decomposition of 
an expression e: a decomposition of an expression e is a pair (E, e') such that e = E[e'] . (We 
consider pairs (E,e) modulo renaming of the captured variables of E, hence decomposition 
is well-defined on a-equivalence classes of expressions.) 
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Let us now define an ordering over decompositions. Decompositions (E,e') induce oc- 
currences in the abstract syntax tree of expressions, i.e., paths from its root to the designated 
occurrence of e'. This assignment is injective, i.e., these paths characterize decompositions. 
However, it is not onto since some paths do not correspond to any evaluation context. Given 
two decompositions (E,e) and (!£',<?') of some given eo, corresponding to paths p and p', 
consider their maximal common prefix p". We say that pQp' when either: 

- p" = p, or 

- p', after p" , turns left in an application, i.e., p" corresponds to a decomposition 
(E", (F[e] v)) and E' = E"[F v] (the other decomposition thus has E = E"[F[e] □]), or 

- p' , after p" , goes further in the top-level binding than p, i.e., E = (rec bsj,xoa,b ±nei), 
e is a value (of the expected size if needed), and E' has shape -recby,x o v,bj ,y o 
F, b' in e\ or rec b.j,bj in F. 

This relation C defines a total ordering on the set of decompositions of any expression e, 
which furthermore has a maximal element - the decomposition turning left in applications 
when possible, and going as far as possible in the top-level binding. Using this notion, we 
prove the following characterization. 

Proposition 7 For all e, the following are equivalent: 

1. e is faulty; 

2. e reduces to an expression D[v] in normal form, such that ifH = rec B=|^j in efor some 
n, B=[„], and e, then size(v), if defined, is not n; 

3. e reduces to an expression eo such that: 

- eo = ©[x], with D(x) undefined, 

- eo = rec Z7v,x =[„] v,b in e' with size(v) 7^ n and v ^ vars, 

- eo = E[{r} v], 

- eo = E[{r}.X] withX^ dom(r), 

- eo = E[{Xx.e').X]. 

Moreover, for all x and D, D(x) is undefined if and only if 

- ej'r/jerx ^ Capto(B), 

- or B) = rec i>v,x' oF,Zj in e' , withxe {x'} Udom(fo). 

Proof First, observe that all cases of (3) are faulty, hence (3) implies (1). We now show that 
(1) implies (3). 

Consider an expression with a normal form e which is not an answer Consider its maxi- 
mal decomposition (E, e') w.r.t. the ordering C. The expression e is an answer exactly when 
e' is a value and E is either empty or of the shape rec b^ in □. We proceed by case analysis 
on the other cases. 

If e' is not a value, then by maximality, it has the shape rec b' in e" for some b' and e", 
and E is not empty. But then one of rules IMo, EMo, and LifTo applies, contradicting the 
fact that e is in normal form. 

If e' is a value v, then E must have shape rec /^v in F or rec bv,xo¥,b in e". 

If F is not empty, then E has the shape E'[L]. Now, if L = (e □), the decomposition 
(E,e') cannot be maximal, since the decomposition (E'[d v],e) is greater. Otherwise, if 
L = (□ v'), then we have E'[v v'] in normal form, hence either v is a variable undefined in 
E', or is a record. Otherwise, L = (o.X), hence either v is a variable imdefined in E', or is a 
function, or is a record without an X field. All these cases are covered by (3). 

If otherwise F is empty, then E must have the shape rec by,xo D,b in e" . But then, for 
the decomposition (E, e') to be maximal, we must have o = =[„] for some «, and either 
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- V is a variable undefined in E (first case of (3)), or 

- size(v) is defined and different from n (second case). 

Finally, to show the equivalence with (2), all the cases of (3) are covered by (2), so (3) 
implies (2), and the only possibility for an expression D[v] in normal form to be an answer 
is that D has the shape rec in e with size(v) = n, so (2) implies (1). □ 

Remarks In Ao, we restrict record values to contain only variables. Actually, we could 
permit other kinds of values in record expressions, but not in record values, because it would 
break the properties of Ao w.r.t. sharing. In particular, as we also mention in Section 2.4, the 
sharing properties of Ao make it directly extensible with mutable values. If we allowed non- 
variable values in record values, then this would no longer be the case. 

To see this, assume that Ao is extended with such record values and a ternary op- 
erator e.X ^ e' for mutation of record fields. Then, consider e = (rec x =[>] {X = {Y = 
v» in jc.X.y ^ v'). The evaluation of e is as follows: first, the record is copied, then its 
X field is projected, which gives rec x =[7] {X = {7 = v}} in {7 = vy.Y <- v', which is impos- 
sible to rewrite to the expected result. 

In addition to this undesirable behavior, enriching Ao with non- variable values in record 
values would force us to considerably enrich the equational theory of our target language 
Aa. Indeed, Aa gives a rather fine-grained account of sharing, and we would have to add 
equations to reason modulo sharing. 



2.4 Examples 

In this section, we show examples of Ao reduction and give intuitions on important appli- 
cations of Ao, namely mixin modules and recursive modules. These examples demonstrate 
the expressive power of Ao, compared to the recursion constructs of both ML and Scheme, 
and also compared to the conference version of this paper [15]. Other possible applications 
include encodings of objects following Boudol [3]. However, Ao would have to be (straight- 
forwardly) extended with mutable records to support this encoding. 

2.4.1 Basic examples 

We start with small examples to give some intuition on the semantics. First, as noted in Re- 
mark 2, substitution occurs at destruct-time in Ao, following the terminology of [28]. This 
means that substitution of an occurrence of a variable is only performed when this occur- 
rence has to be replaced with a non-variable value in order for the evaluation to continue. 
This is illustrated in Figure 10, which shows an example of substitution at function applica- 
tion time. The first expression is partitioned into D = rec x =p] Xy.y in □ x and x. 

Figure 1 1 illustrates the left-to-right evaluation of bindings in Ao and the semantics of 
size indications. In particular, it emphasizes the fact that if a size indication turns out to be 
wrong, then the reduction is stuck. With respect to compilation, this models the fact that in 
the in-place update method, pre-allocated blocks should not be updated with larger blocks, 
otherwise execution might go wrong. In the second example of Figure 11, whose evaluation 
is correct, the first expression is partitioned into D = rec =[„] Xy.y, z =[?] □ x in z and x. 

Figure 12 shows a subtle point of the semantics. Namely, the size indications change the 
degree of sharing of definitions, in case they are just variables. From Figure 7, we remark 
that a binding context of the shape x =[„] □ is dereferencing. Therefore, if it is filled with a 
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Expression Comments 



recx=[7] Xy.y inxx Not a valid answer because, x j: is not a 

value, and the only possible reduction is by 
rule SUBSTo. 

i 

Tecx =[7] Xy.y in {Xy.y) x Only the first occurrence of x is substituted. 

We then apply rule BetAo. 

i 

rec X =p] Xy.y in Not yet a valid answer. We apply rule EMo. 

recy=[9] x iny 

i 

rec X =[9] Xy.y,y =pj x in y The binding is now size-respecting, because 
of the =[9] . 



Fig. 10 Substitution and function application 



Expression Comments 



rec z=[7] XX, 


The forward reference is syntactically cor- 


X =[n\ >^y-y 


rect (even if n 7^ size(A>'.y)), but the value 


in z 


of X cannot be copied, because it would be 


X 


from right to left. This is consistent with 


the in-place update compilation scheme 




sketched in Section 1.2. 



rec X =[„] Xy.y, The value of x can be copied, but only if the 

z =[7j X X size indication is correct, otherwise the first 

in z definition is not considered valid. Note that 

the size indication is in fact not necessary 
here because x is not forward referenced. 



i 

rec X 



=[n\ ^y-y^ 

z =[7] {Xy.y) X 



Fig. 11 Forward references 

Expression Comments 



rec y =[7] {X = {}}, The definition z =p] y respects sizes, so the 
z =[7] y whole expression is an answer. 

in z 



rec y =[7] {X = {}}, The definition z =[n| y does not respect sizes, 
z =[„] y so the expression reduces by rule SubsTo. 

in z 

i 

rec y =[9] {X = {}}, We eventually reach an answer. 

z=[„]a = o} 

in z 



Fig. 12 Size indications and dereferencing contexts 



17 



Expression 

rec even =[9] Xx. {x = 0) or 

(odd(x-\)), 
odd =[„] Xx. {x > 0) and 
{even {x—\)) 

in even 56 

i 

rec even =[7] . . . , 

o<id =[„] . . . 
in {Xx.{x = 0)oT{odd(x-\)))56 

J.+ 

rec even =[7] . . . , 
odd =|„| . . . , 

a:; =|7| 56 

in (xi = 0) or (odd — 1)) 
i+ 

rec even =[7] . . . , 

orf^i =l„] . . . , 

xi =|7| 56 
in odd 55 



Comments 



The forward reference to odd is syn- 
tactically correct, and odd evaluates 
correctly if n is the right size. We ap- 
ply rule Subs To to replace even with 
its definition. 

We apply rule BetAo, followed by 
rule EMo. 



We then perform the boolean test un- 
successfully, obtaining odd {x\ — I), 
where we then replace xi with its 
value and obtain odd 55. We can then 
replace odd with its value and apply 
rule BetAo again, and so on. 



Fig. 13 Mutual recursion 

Expression Comments 

rec ;c =[„] iHead = 0, Tail = x}- This is a valid answer, representing an 

in X infinite (cychc) Ust of zeroes. 



Fig. 14 Reciu-sive data structure 



variable, this variable has to be substituted with its value in order for evaluation to continue. 
Figure 12 provides two examples differing only by one size indication. In the first case, the 
expression is a valid answer. In the second case, at the level of compiled code, a block is 
pre-allocated for z, which will eventually represent its value, so we must update it: the value 
of }' is copied to this block. At the source language level, this copying enables Ao to correctly 
reflect sharing in the compiled code, and therefore makes it ready for extension with mutable 
values. 

Figure 13 shows an example of mutually recursive functions, assuming that Ao has been 
extended with standard operations on booleans and integers. Finally, one may wonder why 
we do not perform substitution immediately after evaluation, as usual, but use destruct-time 
substitution instead. The reason is that it better represents the semantics of the construct 
we want to define. First, as previously mentioned, sharing is propertly modeled. Second, as 
shown in Figure 14, it allows to represent recursive data structures such as infinite lists. 

2.4.2 Mixin modules 

We now consider a more elaborate example, namely an encoding of a simple language of 
mixin modules, following the approach of [14]. The design of mixin modules in a call-by- 
value setting raises a number of issues that fall outside the scope of this paper; see [12] for 
a discussion. Our goal here is to informally explain why Ao is an adequate target language 
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for compiling mixin modules. Thus, we briefly describe a simple language of call-by-value 
mixin modules, for which we sketch a compilation scheme. 

Mixin modules Mixin modules are unevaluated modules with holes. Mixin modules are to 
ML-style modules what classes are to objects in object-oriented languages. The language 
provides a close operator to instantiate a complete mixin module into a module, thus trig- 
gering the evaluation of its components (see below). In order to obtain a complete mixin 
module, the language provides modularity operators, such as composition and deletion. For 
instance, one can define the mixin modules Even and Odd as follows. 

mixin Even = import 

odd : int -> int 
export 

even x = (x = 0) or (odd (x - 1)) 
end 

mixin Odd = import 

even : int -> int 
export 

odd X = (x > 0) and (even (x - 1)) 

end 

The holes of a mixin module are called its imports, and its defined components are its 
exports. The contents of mixin modules are not evaluated imtil instantiation, as described 
below. One can compose Even and Odd to obtain 

mixin Natl_Open = Even + Odd 

which is equivalent to 

mixin Natl_Open = import 
export 

even x = (x = 0) or (odd (x - 1)) 
odd X = (x > 0) and (even (x - 1)) 
end 

The name Natl_Open refers to the fact that the definitions of this mixin module are still 
late bound and can be overridden. Then, this mixin module can be instantiated into a proper 
module by 

module Natl = close Natl_Open 

which is equivalent to 

module Natl = struct 

let rec even x = (x = 0) or (odd (x - 1)) 
and odd x = (x > 0) and (even (x - 1)) 

end 

One can then select components from Nat 1, and write for instance Nat 1 . even 56. 

As an example of overriding, one can optimize the definition of even in Natl .Open 
by first removing it from Natl_Open, and then composing the result with a mixin module 
containing the new definition: 
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mixin Nat2_0pen = (Natl_Open - even) + 
import 
export 

even x = ((x mod 2) = 0) 
end 

which is equivalent to 

mixin Nat2_0pen = import 

export 

odd X = (x > 0) and (even (x - 1)) 
even x = ((x mod 2) = 0) 
end 

The obtained mixin module can then be instantiated into a plain module, as above. Fi- 
nally, we extend Nati_Open with a computation using the defined functions: 

mixin Nat_Test_Open = Natl_Open + 
import 

even : int -> int 
export 

test = even 56 
end 

The obtained mixin module is equivalent to 

mixin Nat_Test_Open = import 
export 

even x = (x = 0) or (odd (x - 1)) 
odd X = (x > 0) and (even (x - 1)) 
test = even 56 
end 



An incorrect encoding in Xo A reasonable idea for encoding mixin modules in Xo would 
be to adapt the standard encoding of objects and classes as recursive records [5]. However, 
this encoding allows to represent mixin modules, but not to instantiate them. Consider for 
instance Nat_Test_Open. It would be translated into a generator, that is, a function over 
records: 

rec NatJTest-Open =[7] Xself. 
i even = Xx.{x = 0) or {self .odd [x—l)) 

odd = Xx.{x > 0) and {self .even {x— 1)) 

test = self .even 56 } 
in . . . 

Then, the instantiation of Nat_Test_Open would consist of taking its fixed point, which 

gives 

rec Nat-Test =[„j Nat-Test-Open Nat-Test in . . . 
(assuming n to be the correct size), which gives after substitution 

rec Nat-Test = {Xself .i even = Xx self .odd . . . 

odd = Xx self .even . . . 

test = self .even 56 >) 
Nat-Test 



in 
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— >+ rec self =p] NatSest 

Nat -Test =[„] { even = Xx self .odd . . . 

odd = Xx self .even . . . 

test = self .even 56 }) 

in . . . 

— > rec i'e//=p] Nat-Test 

Nat-Test =[„] -C even = Xx self .odd . . . 

odd = Xx self .even . . . 

test = Nat-Test. even 56 }) 

in . . . 

whose evaluation is stuck, because Nat-Test is not yet evaluated and its definition is already 
requested. So the recursive record semantics of objects and classes does not directly adapt to 
mixin modules. The reason is that the components of a mixin module may strongly depend 
on each other, in the sense of Section 1.2, while the components of a class are essentially 
methods, which only weakly depend on each other. 

Remark 9 (Objects and strong dependencies) In Java, initialization of instance and static 
fields by arbitrary expressions can lead to strong dependencies between the fields. However, 
the semantics of field initialization in Java does not guarantee that a fixed point is reached 
[11, section 8.3.2.3]. Here is an example. 

static int f() ■[ return x + 1; } 
static int x = f() * 2; 

This code assigns 2 to x instead of causing an error as expected. 

A correct encoding in Xo We must find another way to compile mixin modules. In [14], a 
mixin module is translated into a record of functions, whose fields correspond to the exports 
of the source mixin module. Each export is abstracted over the other components upon 
which it depends, and over a dummy argument, useful for suspending the computation in 
the absence of dependencies. For instance, the mixin module Even has only one export even, 
which depends on the import odd, so it is represented by 

rec Even = {.even = Xodd.X-.Xx.{x = 0) or {odd {x — 1))> 

where _ denotes an imused variable. Similarly, Odd is represented by 

rec Odd = iodd = Xeven.X-.Xx.{x>Ql) and {even{x—\))y 

The translation of composition merely consists of picking the right fields in the arguments. 
For example, composing Even and Odd yields 

rec Natl -Open = ieven = Even.even,odd = Odd.oddy 

The composition can be generated even in a separate compilation setting, where only the 
types of Even and Odd are available. Indeed, it only relies on the names exported by the 
two mixin modules, which are mentioned in their types. Deletion is as easy as composition, 
since we only have to pick the non deleted fields of the argument. 
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Instantiation is more difficult, because of strong dependencies and sizes. Consider for 
example the instantiation of Nat_Test_Open. Here, even and odd must be defined before 
test, which strongly depends on them. Thus, we obtain 

rec even =[7] NatSestJDpen.even odd {}, 

odd = „] Nat_TestJDpen.odd even {}, 

test =[9] Nat-TestjOpen.test even {} 
in ieven = even, odd = odd, test = testy 

This translation evaluates as expected, provided we can statically guess the correct size n for 
the odd component. For some data representation strategies, this size can be computed from 
the static type of odd, but not always for other strategies; see Section 7 for a discussion. 

Another difficulty of the translation outlined here is to determine a correct order in which 
to evaluate the components of the mixin being closed. The approach proposed in [14] and 
refined in [16] relies on exploiting dependency information added to the static types of mixin 
modules. Another approach, outlined in [12, 13], is to embed dependency information in the 
run-time representation of mixin modules, and determine a correct evaluation order at run- 
time. 

2.4.3 Recursive modules 

Another possible application of Ao is for compiling recursive modules in extensions of the 
ML module system [7, 27, 21, 9]. Recursive structures are easily encoded in Ao. For example, 
consider the following two mutually recursive structures: 

module Even = struct 

let even x = (x = 0) or (Odd. odd (x - 1)) 

end 

and Odd = struct 

let odd X = (x > 0) and (Even. even (x - 1)) 
end 

Define the syntactic sugar struct b end, where is a list of declarations of the shape X\ o 
xi o\ ei, ... ,X„ >x„ o„ e„, to denote rec oi ei,...,x„o„e„ in{Xi =xi,...,X„=jc„>. Using 
this notation, the example above can be expressed as 

rec Even =[7] struct 

even > even =[7] Ax.(x = 0) or (Odd.odd {x— 1)) 
end, 

Odd =[„] struct 

odd > odd =[7] Ax.(x > 0) and {Even.even {x— 1)) 
end 
in . . . 

(where n is assumed to be the right size indication). Notice that the function definitions and 
the first module do not need to have known sizes, since the only forward reference concerns 
the second module Odd. 

Beyond recursive structures, it is desirable to encode recursive functor applications, 
which appear in many practical uses of recursive modules. For instance, consider the fol- 
lowing example, taken from the OCaml documentation [20, section 7.9]. 
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module A : sig 

type t = Leaf of string I Node of ASet.t 

val compare: t -> t -> int 
end = struct 

type t = Leaf of string I Node of ASet.t 

let compare tl t2 = ... ASet. compare ... 
end 

and ASet : Set . S with type elt = A . t 
= Set. Make (A) 

After erasing the type components of structures, we encode this example in Xo by 

rec At>A =[9] struct 

compare > compare =p] . . .ASet. compare . . . 
end, 

ASet > ASet =[„] Set. Make A 
in . . . 

(where n is, again, assumed to be the right size indication). This expression evaluates cor- 
rectly because Set. Make only weakly depends on its argument. The extension of this encod- 
ing to a separate compilation setting does not raise the problem of sizes we had for mixin 
modules: the sizes of ML modules can be guessed from their types. However, the depen- 
dency analysis remains difficult, and we are working on this issue. 

This section has demonstrated the expressive power of Ao by showing encodings of 
mixin modules and recursive modules, which attests its expressive power. In order to show 
how to compile it to efficient machine code, we now define a more elementary language 
called Aa, into which we then translate X^. 

3 The tai^et language Aa 

In this section, we define Aa, a A-calculus with explicit heap. It was carefully engineered 
to map directly to an abstract machine with a heap, and to enable efficient compilation to 
machine code. In particular, the heaps used in the semantics closely correspond to machine- 
level heaps. (This is apparent in the size requirement for the update operation to work.) 

3.1 Syntax 

The syntax of the target language Aa is presented in Figure 15. It includes the A-calculus with 
natural numbers and non-recursive let binding. Note that a let definition t = E computes 
E, and then either binds the result (if r is a variable) or ignores it (if t = _). The multiple 
value binding let ti = Ei, . . . ,t„ = E„ in E should be understood as let fi = £1 in . . . let f„ = 
E„ ±nE. We write e for the empty binding. Having a multiple let binding contributes to 
make the equational theory of Aa rich enough for the immediate in-place update scheme to 
be correct. Additionally, there are constructs for record operations (creation and selection), 
and constructs for modeling the heap: an allocation operator alloc, and an update operator 
update. 

The semantics of Aa uses a notion of heap, which comes in the form of a kind of global 
let rec. A raw configuration C is a pair KecH in £ of a heap H and an expression E. A 



23 



Variable: 
Name: 

Expression: 



Record row: 
Binding: 



Value: 

Stored value: 



X 

X 



E 6 Expr 



R 
B 
t 



e vars 
6 names 



X I Xx.E I E E 
let B in £ 
{R} I E.X 
alloc I update 



= e\{X = V,R) 
= e\{t = E,B) 
= x\. 



Natural number 
A, -calculus 

Non-recursive definitions 
Record operations 
Heap operations 



Variable or wildcard 



V £ Values •.:= x\n 

S e SValues ::= Xx.E \ alloc n \ {R} 



Heap: H e Heaps 

Configuration: C 
Evaluation answer: A e Answers 



:= e\x = S,H 
■— KecHinE 
:= RecHinV 



Fig. 15 Syntax of Aa 



FV(n) 
FVM 
FV{Xx.E) 
FV(£i £2) 
FV(let B in £) ^ 

FV(e) 
FV(R) 

FV(e) 



= 

--{x} 

--FV{E)\{x} 

= FV(£i)UFV(£2) 

-- FV(B.. = £)\dom(B) 

■- U FV(R(X)) 

Xedom(«) 
= 



FV({R}) 
FV(£.X) 
FV(alloc) 
FV(update) 



= FV(R) 
= FV(£) 
= 
= 



FV(f = E,B) = FV(£) U FV(B) U ({f} n vars) 
FV(RecHin£) = (FV(ff) U FV(£)) \dom(ff) 

fV{x = S,H) = {x} U FV(S) U FV(ff ) 



Fig. 16 Free variables in Aa 



heap is list of bindings x = S, where the stored value S 6 SValues is either a function ?ix.E, or 
a record {/?}, or an application of the shape alloc n for some natural number n. A value V 
is either a natural number or a variable (but not a stored value). An evaluation answer is a 
raw configuration of the shape RecH in V. 

Record rows R, (resp. bindings B and heaps H) are required not to define the same 
name (resp. variable) twice. We use for them the same notations as for Ao record rows and 
bindings for domain, codomain, concatenation, and so on. Observe that the wildcard _ is not 
a variable, hence is not in the domain of bindings nor in their free variables. 



Structural equivalence Free variables are defined in Figure 16. We call structural equiva- 
lence the smallest equivalence relation including reordering of heap bindings and renaming 
of bound variables. We call configurations structural equivalence classes of raw configura- 
tions. We write = for equality of raw configurations and = for equality of configurations. 
We extend substitutions to expressions and configurations in the standard way. For defining 
capture-avoiding substitution on expressions, the only non-trivial case is let B in E: the ap- 
plication of a substitution to an expression of the shape let f 1 = £1 ,...,?„=£'„ in £ proceeds 
exactly as applying it to let t\=E\ in . . . let tn= En inE. 
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Lift context: T] : 

Nested lift context: (p : 

Evaluation context; ^ : 

Allocation context: a : 



= E n\nv \ o.x 
= n\E(p\(pV\(p.X 

= (p I let f = (p,B in£ 

= 0\aE\E a \ a.X \ letBi,t = a,B2 inE\ let Sin a 



Fig. 17 Evaluation and allocation contexts of Aa 
Alpha equivalence: 

a2 = (4 E=E' E = E' 



«! [a2] = «! [a^] E a=E' a aE = a E' 

Bi=B[ (letB2inE) = (letB'2±nE') B = B' 



(let Bi,xoa,B2 inE) = (let B[,xo a,B'2 inE') let B±na = let B' in a 

E = E' 



{Bi,x = E,B2) = {Bi,x = E',B2) 



Free variables: 



FV(n) =0 
FV(a£) =FV(a)UFV(£) 
FV(£a) =FV(a)uFV(£) 
FV(a.X) = FV(a) 

FV(letBina) =FV(B)UFV(a) 

FV(let Si ,f = a,B2 in £) = FV(Bi ) U FV(a) U FV(let 82 in £) U ({j} n vars) 
Captured variables: 

Capto(n) =0 

CaptQ(a£) =Captg(a) 

Captg(£a) =CaptQ(a) 

CaptQ(o;.X) =CaptQ(a) 

Captn (let B in a) =dom(B) 

Captn (let Bi,t = a,B2 infi) = dom(Bi)uCapto(a) 

Fig. 18 Structural equivalence of Aa allocation contexts 



Finally, the free variables of a substitution a (any function from variables to one of the 
syntactic classes) are defined by 

FV(a)= U WUFV(c7(x)). 

J:€5upp(f7) 



3.2 Dynamic semantics 

The semantics of Aa is defined by a reduction relation — >, which, like that of Ao, is first 
defined as a relation over raw configurations, then straightforwardly lifted to a relation over 
configurations. 

3.2.1 The reduction relation 

The reduction relation is defined in Figures 17, 18, and 19, using the following hypothesis. 
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Hypothesis 10 (Size in X^) We assume given a function Size from stored values to natural 
numbers such that 

- for all n, Size(alloc n) = n, and 

- for all <7 G vars — > Values and S, Size(<7(5)) = Size(5). 

The second condition follows the intuition that the size of a stored value is determined 
by its top constructor, and is therefore invariant under substitutions (which do not change the 
top constructor, only its arguments). (It is also of technical use in the proof of correctness.) 

The reduction rules are defined in Figure 19, using the notions of contexts defined in 
Figure 17, and the scoping rules and functions of Figure 18. 

Rule BETAa is unusual in that it applies a heap allocated function to an argument V . The 
function must be a variable x bound in the heap to a value Xy.E, and the result is [y y] (E). 
The reduction can take place in any evaluation context ^ . 

Rule PROJECTa projects a name X out of a heap allocated record {i?} at variable x, 
returning R{X). 

Rule UPDATEa copies the contents (the stored value) of a variable to another variable. 
Both stored values must have exactly the same size and the copied one must not have the 
shape alloc n. This condition may seem unnecessary, but it is used to prove that faultiness 
is preserved by our translation. Recall that H{x = S) denotes H where the binding for x is 
replaced by x = S. 

As in Ao, the evaluation of bindings is confined to the top level of configurations. This 
requires the LiFTa rale, which lifts a binding outside of a lift context T] . 

By rale IMa, if the first definition of the top-level binding B is itself a binding 
let B\ in E\ , then B\ is merged with B. 

Rule LETa describes the top-level evaluation of bindings. Let [t i-^ V] denote [x ^ V] if i 
is a variable x, and the identity substitution otherwise. Once the first definition is evaluated, 
if f is a variable, then this variable is replaced with the obtained value in the rest of the 
expression; if J = evaluation proceeds directly. When the binding becomes empty, it can 
be removed with rale EMPTYLETa. 

By rale WEAKGCa, when a heap binding is not used by any other binding than itself, 
and not used by the expression either, it can be removed. This is formalized by requiring that 
the corresponding variable x be outside the set of free variables FV(7?y{_t}) U FV(£') of other 
heap bindings and of the main expression. This simple rule is here to model the garbage 
collection step mentioned in the explanation of Figure 2: it allows garbage-collecting the 
blocks obtained by evaluation of the recursively-defined expressions once they have been 
copied to the pre-allocated blocks. A general garbage collection rule could detect more kinds 
of dead data stractures, in particular mutually dependent, otherwise unused data stractures. 
This additional power is not needed in this paper, so we do not have a general garbage 
collection rale. 

Finally, rule ALLOCa is one of the key points of Aa, by which a configuration of the 
shape RecT/in a[S\ evaluates to the configuration Recx = S,H in a[x], where x is a fresh 
variable. In particular, if S is alloc n, the evaluation allocates a dummy block of size n on 
the heap. This reduction can happen in any allocation context a. Allocation contexts cover 
all contexts of Aa, except imder A -abstractions. The idea is that a value can be allocated in 
advance in the heap. For instance, given a configuration KecH in let B in S, it is possible 
to allocate S before computing the binding, provided S does not use the variables defined in 
B. The side condition FV(5') # Capto(a) ensures this, where Capto(a) denotes the set of 
binders located above the context hole in a, here dom(B) (see Figure 18). 
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H{x) = Xy.E 

iJ. 1 (Beta ) 

RecHin(^[A:y] — tKecH in ^[]y ^ V]{E)] ^ ' 

RecH in £, [x.X] — ► RecH in £, [R{X)] 
H{y) ^ {alloc n | n € N} Size{H{y)) = Size{H{x)) 



KecH in £, [update xy] — > necH{x = H(y)) in ^ [{}] 
dom(B)#FV(j]) 



(UPDATEa) 
(LiFTa) 



RecH in ^ [t] [let B in £]] — > KecH in [let B in 77 [E 

dom(Bi)#V}UFV(B2)UFV(£2) Rec // inlet ( = V,B in £ 

Rec//inlet( = (letBi in£i),B2 in£2 ^ — > Rec//in[f m V](let B infi) ^ 
— >RecHinlet Bi,t = Ei,B2 in £2 

.vt (FV(/y, FV(£)) 

Rec // in let e in £ — > Rec // in £ (EMPTYLETa) — ' ^ — ■ ( WEAKGCa) 

^ ' Rec// in £ — > Rec //y^^^} in £ ^ ' 

FV(S)UFV(a)UFV(//) FV(5') # Capto(a) 

r — T r — T i ALiljOCaJ 

Rec//ina[5] — > Recx = S,//in a[x] 
Fig. 19 Dynamic semantics of 



Remark 11 (Non-determinism and evaluation order) Unlike in Ao, the reduction of Aa is not 
deterministic because of rules WEAKGCa and ALLOCa. Nevertheless, Aa remains close to 
an abstract machine, which would simply implement a particular reduction strategy. Fur- 
thermore, this non-determinism makes the equational theory of Aa rich enough for the cor- 
rectness proof of Section 5. 

Although Aa is not deterministic, function applications are evaluated from right-to-left, 
because of the lift contexts □ V and E □. This makes the presentation more concise, since 
it avoids lift contexts of the shape alloc n, update n, and update x □, and explains why 
Ao also evaluates its arguments from right to left. The results of the paper can be adapted to 
a left-to-right evaluation setting with some additional work. 



3.2.2 Confluence and errors 

Since reduction in Aa is not deterministic, it is important to make sure that it is confluent. 
In fact, we show that the reduction relation is strongly commuting, which implies that it is 
confluent by Hindley's lemma. 

Lemma 12 (The reduction rules are strongly commuting) For all reduction rules Ri,R2, 
and configurations C,C\, C2, ifC — ^ Ci and C C2, then there exists C' such that C\ 
C andCi^C. 



Proof By case analysis on the possible pairs of reductions. The reduction relation without 
rules WEAKGCa and ALLOCa is deterministic, so we only have to examine the pairs in- 
volving at least one of these rules. □ 



27 



Expression Comments 



Rec e in Before applying rule BETAa, we must re- 

{Xx.(x.X.Y)) duce the function and the argument to val- 

(let y = iY = 0} in iX = y}) ues. For this, we apply (several possible or- 
ders) rules ALLOCa (three times), Let^ and 

i+ EMPTYLETa. 

(xi=iY = 0}, 1 

Rec < X2 = iX = Xi}, > in We then apply rule BETAa (the heap H re- 
yxi= Xx.(x.X.Y) J mains unchanged). 

X3 X2 

I 

Rec // in X2 .X .7 We finally apply rule PRO JECTa twice. 

i+ 

RecffinO 



Fig. 20 An example of reduction in Aa 



A configuration is said to he faulty if it reduces to a configuration in normal form that is 
not in Answers. For a better understanding of the semantics, we now characterize the set of 
faulty configurations. 

Proposition 13 (Faulty configurations) A configuration is faulty iff it reduces to a con- 
figuration C in normal form such that: 

- C = Rec // in [a: V], with either 

- dom(H), or 

- H{x) is not a function, 

- C = RecHin^[nV], 

- orC = Rec //in ^ [x.X], with either 

- X ^ dom{H), or 

- H{x) is not a record with field X, 

- orC = B.ecH±n^[n.X], 

- orC = Rec //in [alloc] and ^ «'[□ n], for all a',n, 

- orC = Rec// in ^ [update x y], with either 

- xory not in dom(//), or 

- X andy have different sizes, i.e., Size(//(x)) ^ Size(//()')), or 

- H{y) of the shape alloc n, 

- orC = Rec//in |[update] an«f ^ ^ ^'[U xy\,for all S,' ,x,y. 



3.3 Examples 

Figure 20 exemplifies the evaluation of a function application in Aa. The function selects 
the Y field of the X field of its argument. However, in Aa, neither the function nor the ar- 
gument are considered values. The evaluation of the argument (let y = -Cy = 0} in -[X = yy) 
involves two heap allocations; first, xi=iY = 0} is allocated; then, we apply rules LETa and 
EMPTYLETa; finally, we allocate X2 = {X = xi}. The evaluation of the function Xx.{x.X.Y) 
involves one heap allocation X3 = Xx.{x.X.Y). The executed expression is then X3 X2, which 
reduces in one step to X2.X.Y, and then in two steps to 0. 
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Expression 



Comments 



Recein 

let odd = alloc n, 

even = Xx. {x = 0) or 

{odd(x-\)), 
_= update o</d 
Xx. {x > 0) and 
{even {x— 1)), 

in even 56 

i+ 

' xi = alloc n, 
X2 = Xx. (x = 0) or 
Rec { {x\ {x— 1)), 

XT, = Xx. (x > 0) and 
(^2(^-1)) 

let _ = update xi X3 
in X2 56 

i+ 

fxi = Xx. {x > 0) and 
X2 = Xx. (X = 0) or 
(^1 (^-1)), 

X2 56 



We pre-allocate a block for odd, evaluate 
even (which points to the dummy block), 
then evaluate the definition of odd and up- 
date the dummy block with it. 



First, the two evaluated heap blocks defin- 
ing odd and even are allocated, yielding xi 
and j;2, respectively. Then, the second argu- 
ment of update is allocated, yielding X3. 



Now xi is updated with x^, which can then 
be garbage-collected, and the evaluation 
can proceed with the two expected mutually 
recursive functions. 



Fig. 21 Mutually recursive functions in X^. (compare with Figure 13) 
Translation of expressions: 



IXx.ej 
lei «2l 

im 

le.X} 

[rec b in e] 

Pre-allocation of bindings: Dummy(e) 

Dummy(j:=|„| e,b) 
Dummy(j: =[7] e,b) 

Update(e) 
Update (j: =|„| e.h) 
Update (j: =i-,j e,b) 



Computation of bindings: 



Xx.M 

{r} 

let Dummy(fc),Update(/)) in[<;] 



(;c = alloc n, Dummy(fe)) 
Dummy(i)) 

e 

(.= (update x Update (fo)) 
(x=H,Update(6)) 



Fig. 22 Standard translation from Xo to X^ 



Figure 21 shows the evaluation of a mutually recursive function definition. It is the Aa 
analogue of the example shown earlier in Figure 13. 



4 Compilation 

4. 1 The standard translation 

We now define a translation from Ao to Aa that straightforwardly implements the in-place 
update trick. This translation, called the standard translation, is defined in Figure 22. 
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The translation is straiglitforward for variables, functions, applications, and record op- 
erations. The translation of a binding b is the concatenation of two Aa bindings. The first 
binding Dummy(fc) is called the pre-allocation binding, and gives instructions to allocate 
dummy blocks on the heap for definitions of known sizes. The second binding Update(^)) 
is called the update binding. It evaluates the definitions and either updates the previously 
pre-allocated dummy blocks for definitions of known sizes, or simply binds the result for 
definitions of unknown sizes. 

Example 14 The standard translation of the first expression of Figure 13 is (part of) the first 
configuration of Figure 21: 



is translated to 



let 



even =p] Xx. (x = 0) or 

{odd(x-\)) 

odd =[„] Xx. [x > 0) and 

{even{x—\)) J 

( odd = alloc n, \ 
even = Xx. (x = 0) or 

\odd\x-\)), 
_ = update odd 

(Xx. [x > 0) and 

(even (x-1))), / 



in eve« 56 



in even 56 



\ 

Remark 15 (Restriction on forward references in Xo) The standard translation crucially re- 
lies on the fact that Xo forbids forward references to definitions of unknown sizes: such 
forward references, after translation, would produce references to unbound variables. For 
example, consider the illegal binding x =[?] y,y =[?] e. Its pre-allocation pass is empty, and 
it is translated as x = y,y = \e\, where y is unbound. (Recall that Aa bindings do not have a 
recursive scope.) 



For any reduction rule R, write 
that are instances of R. 



for the set of pairs of expressions or configurations 



Proposition 16 For all v G values\ vars, there exist H,x such that 

ALLOCa 



Rec£in|vl 



■ Rec// in X 



Proof By case analysis on v. 



From now on, we assume that the notions of size in Xo and X^ are coherent, in the 

following sense. 

Hypothesis 17 (Size) For all H,x, and v £ values \ vars, if Recein|v] — >* Rec// in x, then 
size(v) = Size(//(x)). 

Our main result is: 

Theorem 18 (Correctness) For all e, if e reduces to an answer, loops, or is faulty in Xo 
then so does \e\ in X=. 



The rest of the paper is devoted to proving this theorem. This raises several difficulties, 
which we explain before actually delving into the proof. 
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4.2 Overview of difficulties 

A natural approach to proving the correctness of our translation is to use a simulation ar- 
gument: if e — > e' in Ao, then |e| — >+ |e'|; moreover, if e is an answer, \e\ should be 
an answer as well. However, both properties fail, for reasons illustrated in the following 
examples. 

Example 19 (Administrative reductions) Consider e = Xx.x. Its translation is E = Xx.x, 
which is not an answer. An allocation has to be performed in order to reduce it to the an- 
swer Recy = Xx.xiiLy.In general, the translation of a Ao value reduces in a finite number of 
ALLOCa steps to a Aa answer. 

Example 20 (More administrative reductions) Consider ei = rec )?=[„] Xx.xi.ne2, where 
n = s\ze{?ix.x). If 62 ^ e'2, then ei reduces to e[ = rec y =[„] Xx.x in e'2 in Ao. However, the 
translations of ei and e\ are 

|ei| = let y = alloc «, _ = update y [Xx.x) in [62] 
fe'J = let y = alloc «, _ = update y {Xx.x) in 

and JeiJ does not reduce to [e'j] in Aa: it is generally not possible to reduce |e2l until the 
enclosing let has been fully evaluated. So, if evaluation in Ao occurs under a size-respecting 
binding, then in the compiled code the evaluation of this binding requires a finite number of 
ALLOCa, UPDATEa, LETa, EMPTYLETa, and WEAKGCa steps, which are exactly the same 
in [eil and le'J. 

In order to deal with these administrative reductions, we will introduce another trans- 
lation function, called the top-level translation, which performs them on the fly. This is 
directly inspired by Plotkin's colon translation [26]. However, there are other complications 
that we now illustrate, writing [ej™"" for the top-level translation. 

Example 21 (Granularity) Consider e = (recx =p] Xy.y i-n.x z). It reduces by rule 
SUBSTo to e' = (recx =p] Xy.y ±a{Xy.y) z), and then by rule BetAo to e" = (recx =[?] 
Xy.y in rec y =[?] z in y). Remark that rule SUBSTo duplicates Xy.y, which is not innocent 
w.r.t. the translation: [ej™'' does not reduce to [e'J™''. Thus, rule SuBSTo alone is not 
simulated. In the compiled code, abstracting over the administrative reductions, there is no 
substitution: rule BETAa is applied directiy, fetching the value of x from the heap. Initially, 
we have something like Rec// in x' z, where //(x') = Xy.y, which reduces in one step to 
Rec// in Z- 

Example 22 (Beta and the top-level binding) From Example 21, one could expect that al- 
though rule SUBSTo is not exactly simulated, the combination of rules SubsTq and BetAq 
is. This is not the case, because rule BetAo leaves a fully evaluated binding right where the 
subreduction happened, which is not necessarily at top-level. Consider again Example 21: 
we have seen that [ej™*" is a configuration of the shape Rec// in x' z, where H{x') = Xy.y, 
which reduces in one step to C = Rec// in z. However, after applying SUBSTo and BetAq 
to e, we obtain e" = (rec x =p] Xy.y in rec y =p] z ±ny), where the irmer rec is not at top 
level. Hence, [e"J ™^ is Rec // in let y = z in y, which is different from C. Nevertheless, ap- 
plying EMo to e", we obtain e'" = rec x =p] Xy.y,y=p] z iny, whose top-level translation is 
exactly C. More generally, it turns out that enough reduction sequences consisting of appli- 
cations of SUBSTo, BetAo, and a combination of LifTo, IMo, and EMo are simulated by 

I^.JTOP 
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Example 23 (Stuttering reductions) In some cases, we have e — > e' , but [ej™'' = [e']™"". 
For instance, consider e of the shape e = rec in rec x =[?] (rec b inei) in ei- By rule 
EMo, e reduces to e' = rec bv,x =p] (rec Z> in ei) in 62- In fact, in both cases, [•J™'" trans- 
lates by on the fly, so that [ej™*" = [e']™*". Thus, the preservation of non-termination is not 
trivial. 

Example 24 (Lifting and allocation) Let b = {y =[7] (Axi-Xi) z) and consider e = 
(Xxi-Xi) (rec b iny), which reduces by rule LifTq to e' = rec b in{Xxi.xi) y. Anticipat- 
ing again the definition of [ J™'' below, in e, ?lxi.xi appears at top-level, and is therefore 
allocated on the fly, but not ?iX2-X2, so we obtain 

C = LeJ™"" = Recx = Xxi.xi ±nx (let y = (Axi-Xi) Z iny). 

On the other hand, in e', Xx2.x2 appears at top-level, but not Xxi.xi, which Ues below a not 
fully evaluated binding, so we have 

C' = [e'l ™'' = Recx' = Axi-Xi in let y = x' z in {Xx\ .xi ) y. 

Thus, some ALLOCa reductions performed in [ej™'' are not performed in [e'J™''. Here, C 
reduces by LiFTa and ALLOCa to Recx = Xxi-XijX" = Axi-Xiin let 3' = / zi-axy, which can 
be reached from C' by ALLOCa- 



4.3 Overview of the correctness proof 

Here is how we deal with these difficulties. First, Example 24 shows that no small-step sim- 
ulation holds, so we adopt a less accurate notion of observation, namely evaluation answers 
and non-termination: 

- if e reduces to an answer a, then its translation reduces to some Aa answer related to a; 

- if e reduces infinitely, then so does its translation. 

In order to prove this result, we consider some of the reduction rules of Ao and Aa 
as structural, i.e., not counting as proper reduction steps. This eliminates almost all the 
difficulties and preserves our notion of observation. The only remaining difficulty is that of 
Example 21, which we cannot solve in the same way. Indeed, we neither want SUBSTo nor 
BetAo and ProjecTo to be considered structural, as we now explain. First, deeming BetAo 
structural would prevent us from proving that non termination is preserved (and doing so for 
ProjecTo is thus only a partial, imsatisfactory solution). Furthermore, the equational theory 

SUBST 

of Aa is not rich enough to equate [eJ™*" and [e']™"" when e — >° e'. Indeed, this would 
involve a currently forbidden duplication ("unsharing") of a stored value. It seems possible 
to extend Aa in a meaningful way, so as to support unsharing of stored values in some cases. 
It also seems possible to modify the semantics of Ao to avoid duplication before rules BetAq 
and ProjecTo. However, the spirit of this article is to keep the source and target languages 
as standard as possible, which rules out these solutions. Our solution is to consider bigger 
steps as atomic in Aoi we consider atomic a sequence of applications of S UBS To, followed 
by an application of BetAo or ProjecTo, followed by possible applications of LifTo, and 
terminated by a possible application of IMo or EMo (to lift a possible binding created by 
application of BetAo and merge it with the top-level binding). 

We now outline the main steps of the proof, detailed in Section 5. 
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e 



a 




e 



■>- a 




Rec e in \e\ 



TOP 



TOP 



Recein|a] 



C 




Fig. 23 Summary of the proof (for observation of evaluation answers) 

The top-level translation We start by defining the top-level translation [•J™'', based on an 
enriched notion of context in Aa, which lends itself better than the standard translation to a 
simulation argument. 



Quotient of Aa Then, we consider Aa, defined as Aa modulo rules UPDATEa, LETa, 
EMPTYLETa, WEAKGCa, and ALLOCa- These rules are strongly normalizing, and we 
define a faithful translation from Aa to Aa, by taking normal forms as representatives of 
equivalence classes. Furthermore, the translations |[ | and [•J™'' are well-defined from 
Ao to Aa, by composition with the canonical injection from Aa to Aa- Define =a as the 
equality in Aa, i.e., the equality of equivalence classes. We then show two crucial properties 
gained by taking the quotient. First, we abstract over the administrative reductions: 
for any e, |ej =a [ej™*". Second, we make the translation compositional: for all e, E, 
LE[e]J™'' =a LEj™''[Iel]. This addresses the problems illustrated by Examples 19, 20, 
and 24. 



Quotient of Xo Then, we modify the notion of evaluation of Ao by merging rule SubsTq 
with the immediately following rules. We obtain a language where, instead of first copying 
the value of a variable and then reducing, we perform the reduction exactly as in Aa by fetch- 
ing the value from the heap, applying the appropriate rule, and, in the case of beta reduction, 
merging the obtained binding with the top-level one (all this in one step). This language cor- 
rectly simulates Ao, since it reaches the same values, diverges on the same expressions, and 
goes wrong on the same expressions. This addresses the problems described in Examples 21 
and 22. Then, we quotient the obtained language by rule EMo. This gives a language called 
Ao which also simulates Ao, eliminating the issue raised by Example 23. 



Correctness Finally, [•J™'', as a function from Ao to Aa, yields a simulation. Writing — >- 
for reduction in Ao, — >a for reduction in Aa, i for the injection from Ao into Ao, and repr(C) 
for the normal form of C modulo rules UPDATEa, LETa, EMPTYLETa, WEAKGCa, and 
ALLOCa, the proof may be summarized as in Figure 23 (for observation of evaluation an- 
swers), where the dotted arrows and equal signs corresponds to intermediate results. 
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5 Correctness 

5.1 The top-level translation 

5.1.1 Overview 

We first define the top-level translation from Ao to Aa. We start with a simple example. 

Example 25 The top-level translation of the first expression of Figure 13 is the last config- 
uration of Figure 21 : 



/ even =[7] Xx. {x = 0) or \ 
{odd (x — 1)), 
odd =[„] Xx. (x > 0) and 
y {even {x— I)) J 



in even 56 



gives 



Rec 



/ Xi = Xx. {x > 0) and \ 
{x2{x-\)), 
X2 = Xx. {x = 0) or 
V (m{x-1))J 



in X2 56 



Roughly, we consider three levels in the translated expression e. 

Top-level The first level consists of the (possibly empty) fully evaluated part bv of the 
top-level binding of e, if any. At this level, [-J™^ performs all administrative reduc- 
tions, as previewed in Examples 19 and 20. Hence, the top-level translation maps b^, to 
a pair of a heap and a substitution, representing the heap after evaluation of the stan- 
dard translation of b^, plus the successive substitutions produced by this evaluation. 

For instance, if by = {y =[„] Xx y ■ ■ ■), then its standard translation is y = alloc n, - = 

update y {Xx y.--)- Its top-level translation gives directly what we would obtain 

after performing the admninistrative reductions, i.e., the heap y' = Xx / . . . and the 

substitution [y 1-^ / ] . 

Allocating After b^, we expect [-J^^ to map answers to answers. Thus, we also want ad- 
ministrative reductions to be performed on the fly. The difference with the previous level 
is that (although we could do it) we do not perform administrative reductions on rec's. 
Indeed, it is not necessary, and it would lead to considering more rules as administrative 
in Xa_. For example, consider an expression of the shape e = (rec in (I'ec in ei ) 62), 
with dom(i') # FV(fcv) U FV(e2). This expression reduces by rules LiFTo and EMo to 
e' = (rec bv,b inei £2)- The purpose of performing the administrative reductions on 
the fly is to abstract over some reduction rules that are considered administrative in Aa, 
because they have no equivalent in Xo. Here, rule LifTo does have an equivalent in Xo, 
so we may avoid the administrative reductions for b in [ej™*" (and perform them for 

Thus, for translating after b^, we must define a translation function different from [•J™'', 
but nevertheless performing some administrative reductions. This is the purpose of the 
allocating translation [-J . In fact, except for the rec case, [■J™'' and [-J perform exactly 
the same administrative reductions, and we define [-J™^ in terms of [-J . 
Standard In other the parts of e, where no administrative reductions are to be performed, 
we apply H. 
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[rec b in ej 



; Receinj: 

; Rec^ = A.x [filing 

; Rec<' = {r}in<' 



; Recff in|ei] E 

; Recff infi.X 

; Rec e in |rec b in e\ 



; Rec Hi in E 
ERecfl2iny 



if 



62 ^ values 

[eaj ^Recff infi 

;Recff in£ 



Fig. 24 The allocating translation from Xo to Aa 



5.7.2 The allocating translation 

Let us now formally define [ J. The idea is to translate the evaluated part of the input ex- 
pression into a proper Aa evaluation context, performing the administrative reductions on the 
fly. When the not-yet-evaluated parts of the expression are reached, the standard translation 
is used. For instance, given a function application e\ e^, where is not a value, one can 
consider that the current evaluation point is inside £2, and therefore that e\ has remained 
untouched. So, we will use and [£2] • The function [-J is defined in Figure 24. 

Definition 26 (Locations and substitutions) We choose a set Locs C vars of locations, ranged 
over by such that Locs and vars\ Locs are both infinite. We consider only Ac raw expres- 
sions whose free and bound variables are in vars\ Locs, which is from now on ranged over 
by X. We consider only Aa raw configurations KecHlnE such that dom(//) C Locs and 
locations are never bound in E or the right-hand sides of H. From now on, we also call 
substitutions, ranged over by a, functions from vars to vars whose support is disjoint from 
Locs. Composition of these substitutions is well defined as mere function composition. We 
call variable allocations such substitutions that are furthermore injective on their support 
and whose cosupport only contains locations. We denote them by g (final sigma). 

We stress in passing that the cosupport, and free variables of substitutions stay the same, 
e.g., cosupport may contain locations. 

We then define [ J as a function from Xo equivalence classes to Aa configurations (it is 
obviously well defined). 

As for the standard translation, variables are translated into themselves. A function Xx.e 
is translated to A.j;.|e], but the result is allocated on the heap, at a fresh location t. Rec^ = 
Xx. \e\ in I. The translation of records is similar. For translating function application, we use 
a new notation: given two heaps H\ and H2 such that dom{H\ ) # Aom{H2), we write H\,H2 
for their concatenation, which is a heap again. If the argument part is not a value, then it 
is translated with [-J, while the function is translated with If the argument is a value, 
then both parts are translated with [-J . The translation of a record selection e.X consists of 
translating e with [-J and then selecting the fieldX. Finally, a binding rec in e is translated 
to Rec £ in |rec ft in e| . 

5.7.5 Generalized contexts 

Given an expression e, in order to calculate [eJ™"", we will decompose e into its top-level 
binding bi and the rest of the expression ei, and the result will be the translation of ei, put in 
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some context representing h\ , written [fcij™^, which is defined in Figure 27 (Section 5.1.8), 
using notions defined in Sections 5. 1 .3 to 5. 1 .7. The binding is divided into its evaluated part 
by and the rest b, which can be empty, but does not begin with a size-respecting definition. 
We start by giving an informal account of the handling of b^ and b, which leads us to the 
definition of a generalized notion of context in Aa. 

Let us first explain the translation of the unevaluated part b. In [■], the Dummy function 
produces instructions for allocating dummy blocks. In the top-level translation, these blocks 
are directly allocated by the function TDum (see Section 5.1.8), which returns the heap of 
dummy blocks and the substitution replacing variables with the corresponding locations. As 
a first example, given a binding b = {xi =[?] 61,^:2 =[„] C2), TDum{b) essentially returns a 
heap £2 = alloc n and the substitution [x2 1— > ii] - This corresponds to the fact that after the 
pre-allocation pass (as generated by the standard translation), the update pass takes place 
under this heap and substitution. 

In 1], the Update function produces instructions to either update a dvunmy block with 
the translation of the definition, or to perform the binding implied by the definition. In [•J™'', 
the only difference is that the first definition in b is translated with [ J , while the remaining 
ones - still considered to lie past the current evaluation point - are translated with |-] . This is 
done by function TUp (see Section 5.1.8). On the previous example, if [eij = B.ecH\ in£i, 
then TUp{b) essentially returns the heap Hi and the binding xi = = update X2 feil- 
Under the substitution returned by TDum, the second definition becomes update £2 {62}, 
as expected. 

Now, what should be the top-level translation, written Top(ZJv), of the evaluated part 
fov? As mentioned above, this translation yields a heap and a substitution. The translation of 
definitions is relatively natural, but it is difficult to assemble the results in a coherent manner. 
First, consider a single definition xov. The allocating translation of v is an answer, of the 
shape Rec// in y. It is thus clear that the generated heap and substitution should be H and 
[x H^- y], respectively. 

The next question is how to assemble the results obtained for each definition. First, 

we remark that in the absence of forward references, substitutions should be composed 
from right to left. For instance, on a binding like b^ = (xi =p] xo,X2 =[?] xi), the generated 
substitution must be [xi 1— > xo] o [x2 1— > xi], and not the converse. Thus, definitions can be 
altered by previous definitions, which may have replaced some variables with other values. 

However, because of forward references in Ao bindings, the translated definitions may 
also have to be altered by subsequent definitions. For instance, consider the binding by = 
(xi =[7] X2,X2 =[„] Ax.x), where n = size(Ax.x). The top-level translation turns by into a heap 
and a substitution. The translation of the first definition consists of the heap Hi = e and 
the substitution ct = [xi ^ X2], so that subsequent occurrences of xi are replaced with X2. 
Then, we translate the second definition. This gives H2 = {£2 = Xx.x) and q = [x2^ £2], 
for some fresh location £2. Naively, one could think that the substitution corresponding to 
the whole binding should be the right-to-left composition of the obtained substitutions. But 
this is wrong, since the obtained substitution would be a o g. Under this substitution, a call 
to xi becomes [xi X2]([x2 i-^ £2] (xi)) =X2, while it should rather be directed to £2. This 
example illustrates that variable allocations performed by the translation are expected to 
alter previous forward references to them, which possibly appear as substitutions. 

This leads us to define a new notion of context in Aa, called generalized context, in terms 
of which we define the translation of bindings. The functions TDum, TUp, and Top will 
be defined as returning generalized contexts, which makes their uniform treatment easier. 
Basically, the idea of generalized contexts is that they contain a heap, an allocation context, 
and two substitutions, rather than one. This allows distinguishing variable allocations x 1— > 
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which might alter previous translations, from normal substitutions jc i— > y, which may not. 
Basically, only definitions of known size can alter previous translations, because they are 
the only ones that can be forward referenced. Furthermore, crucially, we will require that 
the normal substitution of a generalized context be one-way, in the following sense. 

Definition 27 (One-way substitution) A substitution a (with implicitly supp(<7) # Locs, by 
Definition 26) is one-way iff supp(c7) #cosupp(CT). 

From the informal explanations above, it should sound natural that the unknown size 
definitions of the shape x y generate one-way substitutions. Indeed, they only "go left" 
in the binding, and no binding may define, say x =[?] y,y =[7] x, because of the syntactic 
restriction on forward references. 

Let us first prove the following easy lemmas on substitutions. 

Lemma 28 For all one-way substitutions a, a o a = a. 

Proof For all variable x, either x ^ supp((j), and then both sides are equal to x, or x E 
supp(cT), but then a{x) G cosupp(<7), which by hypothesis implies a{x) ^ supp(<7), hence 
C7 (c7 (x) ) = C7 (x) , as expected. □ 

Lemma 29 For all substitutions (7i and 02, 

- supp(0'i o CT2) C supp((Ti ) U supp((T2), and 

- cosupp(CTi o CT2) C cosupp(CTi) Ucosupp(CT2)- 

Proof The first point is point is easy by contradiction. 

For the second point, asstmie x G cosupp(<7i o 02). There is some y^x such that (<7i o 

(^2){y)=x. 

Let z = 02{y).lf X ^ cosupp(cJi), then z = x,so 02{y) = x, and x e cosupp(cJ2). 

□ 

Lemma 30 For all substitutions ai and 02. if FV(c7i) # supp((72). then Ci o 02 = 01(02) ° 

Oh 

Proof Letx G vars. 

- If X e supp(a2), then x ^ FV((7i), so (01(02) o Oi)(x) = (oi(o2))(x), which is the ex- 
pected result. 

- Otherwise, if x G supp(<7i), then Oi(x) G cosupp(cri), so Oi(x) ^ supp((72), hence 

(<7i(<72) o C7i)(x) = <7i(x) = (<7i o (72) (x). 

□ 

Lemma 31 For all o,g, ?/'supp(<7) # supp(^), then g(o) og = goaog. 

Proof Letx G vars. 

- If g(x) G supp(ct), then both sides are equal to (g o ct o g)(x). 

- Otherwise, since g is one-way, ^ o g = g, so (g(o) o g)(x) = g(x) = (g o g)(x) = (g o 
oog)(x). 

□ 



Corollary 32 For all g, o, if supp(g) # supp(CT), then goc7 = goc7og. 
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Proof By Lemmas 30 and 31, since obviously supp(^) # supp(<7) implies FV(^) # supp(<7). 

□ 

Then, we have the following obvious, but useful result. 

Proposition 33 For all a,a,E, iffM{a) # Captn(a), then a{a[E\) = {a{a))[a{E)]. 

Corollary 34 For all a,a,E, if a o a = a and FV(<7) # Captn(a), then a{a[E]) = 
a{a[aiE)]). 

Proof By Proposition 33, a{a[E]) = (<7(a))[<7(£)] = (<7(a))[(<7 o C7)(£')] = <7(a[<7(£)]). 

□ 

Then, we give the following sufficient condition for the composition of two one-way 
substitutions to be one-way. We recall that FV(c7i) # supp((T2) means 

- supp(c7i) # supp(c72) and 

- cosupp(<7i) # supp(o2). 

Lemma 35 For all one-way substitutions <7i and 02, //'FV(<7i) # supp(02), then 

- <7i o <J2 is one-way, 

- supp(CTi o CT2) = supp(c7i) Usupp(02), 

- COSUpp((7i) C cosupp((7i o CT2). 

Proof We prove that <7i o 02 is one-way by contradition. Let <7 = <7i o <72 and assume the 
existence ofxE cosupp((7) fl supp(c7), i.e., the existence of x,y, and z, such that 

- a{x)=y with x^y, and 

- <7(z) =a: withx/z. 

Let then x' = (72 W and z' = 0'2(z), so that we informally have: 

(72 , <7i 

X x > y 



(72 _ / <7i 



- If X / jc' and x ^ z', then x G supp(CT2) H cosupp(CTi ) which is impossible by hypothesis. 

- lfx = xf and xj^z!, then x G supp((7i) fl cosupp((7i), which is impossible because <7i is 
one-way. 

- If x = z' and X / xf, then x G supp((72) fl cosupp(<72), which is impossible because 02 is 
one-way. 

- lix = x! and x = z', then (7(z) = y which is impossible since <7(z) = x and x / y. 
The second point is proved as follows. 

- By Lemma 29, supp(CTi o CT2) C supp(CTi) Usupp(CT2); 

- If X G supp(CTi) Usupp(a2) butx ^ supp(<7i o 02), i.e., <7i(<72(x)) =x, then lety = <72(x). 
If X = y, then ai (x) = (7i (y) = x, so x is neither in supp(<7i) nor in supp((72), which con- 
tradicts x G supp((7i)Usupp((72) - Otherwise, we have y /x, which impUes x G supp((72)> 
and furthermore and ((7i o (72) (x) = (7i(y) =x, so x G cosupp((7i) nsupp((72), a contra- 
diction. 
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FV((H ; a ; CT ; g)) = (FV(ff) U FV(a) U FV(f7) U FV(g)) \dom(ff) 
Captn((// ; a ; a ; g)) = Capto (a) Usupp(o') Usupp(5) 

Fig. 25 Free variables and captured variables for generalized contexts 

H = H' a = a' a = a' 5 = 5' i:''^dom(/^j a' - J ^ l'\(a) g' - J ^ l']{g) 
{H-a;a;g) = {H' ;a' ; g') {(H,e = S) ; a ; a ig) = ((H/ = S) ; a ; a' ;g') 

Fig. 26 Structural equivalence of generalized contexts 

Let us now prove the third point: letjc 6 cosupp(CTi). There exists y 7^ x such that Oi {y) = 
X. By hypothesis, this y is not in supp(CT2), so (cti o (72)(>') =x, andx € cosupp(CTi o 02). □ 

Definition 36 ( Generalized contexts) A generalized context is a 4-tuple of a heap H, an 
allocation context a, a substitution a, and a variable allocation q, written y {H ; a ; a ; 
g), such that 

- CT is one-way, 

- supp(ct) #supp(g), 

- a and the range of H do not have any free location, 

- cosupp((T) n Locs C dom(/f), 

- and cosupp(5) C dom(/f). 

A generalized evaluation context is a generalized context whose allocation context is an 
evaluation context, i.e., a generalized context of the shape {H ; ^ ; <T ; 

The generalized contexts generated by the translation of size-respecting bindings will 
have □ as their allocation context. We call such generalized contexts generalized bindings, 
and write them /3 . 

The generalized contexts generated by dummy allocation of bindings will have the shape 
(ff ; □ ; id ; ^). We call such generalized contexts generalized dummy allocations, and write 
them 5. 

Also, we define the syntactic sugar {H ; B ; a ; g), which, if B is not empty, denotes 
{H ; let 5 in □ ; CT ; g), and otherwise denotes {H ; D ; a ; g). Further, bindings B are 
implicitly coerced to generalized contexts (e ; S ; id ; id). Finally, we simply write a for 
(e ; □ ; CT ; id), and define Subst((;/ ; a ; ct ; g)) = g o ct and Cont((/f ; a ; o ; g)) = a. 

Notes: dom(//) contains only locations, and is thus inherently disjoint from supp(CT) 
and supp(g). Also, recall that every evaluation context ^ is also an allocation context a. 

Next, we define structural equivalence on generalized contexts, using the definition of 
free variables in Figure 25. For helping the intuition we also define the captured variables 
for generalized contexts. The intuition behind structural equivalence of generalized contexts 
is that the locations bound in dom(//) may be renamed freely, since they may only be men- 
tioned in the cosupport of CT and g. Formally, structural equivalence is defined in Figure 26, 
as the least equivalence relation respecting the rules. The first rule says that a-equivalence 
on expressions, heaps, and stored values is included; the second rule says that a location in 
the heap may be renamed, provided it does not clash with another one. 

Example 37 Consider the bindings bv = {x\ =[■?] xo,x2 =[■}] X4,X3 =[•?] xi,x4 =[„] ?ix.x), which 
is an interleaving of previous examples, and b = {x^ =j„] X2). 
Via Top, each definition in b^ yields a generalized context: 
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- xi yields yn = (e ; □ ; [xi i-^xq] ; id), 

- X2 yields 712 = (e ; □ ; [x2 1-^ X4] ; id), 

- X3 yields 713 = {£ ; □ ; [xa i-> xi] ; id), and 

- X4 yields 714 = {£ = Ax.x ; □ ; id ; [x4 1— > £]). 

The not yet evaluated binding b yields the heap H = (! = alloc n and the variable 
allocation g = [x5 1-^ (!] by function TDum, which we write 72 = (//;□; id ; q). 

Via TUp, h yields the heap H' = £ and the binding B = {_ = update X5 X2), which we 
write 73 = {H' ; let B in □ ; id ; id). Note that this is the only use of generalized contexts 
using allocation contexts (here let B in □) which are not evaluation contexts. 

5.1.4 Composition of generalized contexts 

We then need a notion of composition of generalized contexts, in order to assemble the 
pieces of our translation. The guiding intuition here is that when composing two generalized 
contexts 71 = {Hi ; ai ; <7i ; ^i) and 72 = {H2 ; a2 ; 02 ; ?2)> we want the result to be well- 
defined and equal to 

{HuH2 ; ai[a2] ; (Ti o CT2 ; qi+gi), 

but we also want the following two equations to hold for any composable 71 and yz, and for 
any expression E: 

((gi + g2) o cJi o ci2){Hi,H2) = ((gi +52) ° oi){Hi), 

(giOfc(<7i)og2 0<72)(^?2)) 

and 

((?! + ° CTi o <72)(ai[a2[£]]) = (to ° C7i)(ai[(g2 ° C52)(a2[£'])])- 

In these equations, the left member is (part of) what we get by applying the result of 
the composition to E, as defined below (Definition 45). The right member describes how 
we would like the four substitutions to interact. For instance, 02 is a standard substitution, 
which does not affect upper levels of context: in both left members, it does not act on the 
components of 71 . On the other hand 52 has to affect them, but should not be shortcut by 
OCi and C7i, which explains why we require that it still affects the variables in a2[E] and H2 
before, respectively, ai and CTi, which come first in the left members. 

We use the following definition, which natural except for the domain of definition: two 
generalized contexts 71 = {Hi ; ai ; C7i ; gi) and ^ = {H2 ; a2 , 02 ; gz) are composable, 
written 7i )- Y2, iff 

- the four substitutions (7i , gi , 02, and g2 have pairwise disjoint supports, 

- supp(c72)#FV(7i), 

- Captn(ai)#FV(a2)UFV(g2). 

These conditions are oviously preserved by structural equivalence, which justifies the defi- 
nition of composability on equivalence classes of generalized contexts. 
We then state: 

Definition 38 (Composition of generalized contexts) For all such composable generalized 
contexts 71 and fz define their composition Yi ® fz Yi ® "Yi = {Hi,H2 ; 0!i[0!2] ; ° 
02 ; gi + g2), provided dom(ffi) # dom(F2) (which can always be reached by structural 
equivalence). 
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Proposition 39 The conditions for being composable are equivalent to 

- FV(a,)#supp(a2), 

- supp(gi) #supp(g2), 

- supp(<7i)Usupp(<72) #supp(gi)Usupp(g2), 

- supp(cT2)#FV(//i)UFV(ai), 

- cosupp(a2) # CaptQ(ai), 

- supp(fc)#supp(c5-i)UCaptn(ai). 



Proof Easy check. □ 

In the hght of this, the conditions for composabihty may be understood as follows: 

- The first three items ensure that the result is a well-formed generalized context. Well, 
actually they do a bit more: they use the sufficient condition of Lemma 35, requiring 
FV(cti) #supp(<72) and supp(c7i) Usupp(CT2) # supp(gi) Usupp(g2) instead of requiring 
CTi o CT2 to be one-way, and supp(CTi o CT2) # supp(gi) U supp(g2) to hold. But this more 
restrictive requirement allows an easy proof of weak associativity for composition of 
generalized contexts, and is general enough for our purposes. 

- The fourth item ensures that (J2 does not affect Hi and 0£i. 

- The fifth item ensures that CT2 is not shortcut by ai (i.e., <72(0!i[- • •]) = O2(0!i)[O2(- • •)]' 
which by the previous point is in fact ai [(J2(. . .)]). 

- The sixth item ensures that is not shortcut by <7i and tti. 



Example 40 Consider again from Example 37. Its top-level translation is yn ® 712 ® 
7i3 ® 714. which is exactly 71 = {Hi,^ ; □ ; ct;,^ ; gi„)> with the heap Hi,^ =i = Xx.x, the vari- 
able allocation g^,^ = [x^ 1— > £] , and the substitution oi^ = [xi,X3 1-^ xo,X2 1-^ X4]. Note that the 
rest of the translation ensures that variable allocations are always apphed after substitutions, 
so that X2 will eventually be redirected to £. 

We noww prove useful sufficient conditions for composabihty and associativity. They 
use the following notation for, respectively, the unknown size and known size variables of a 
binding b: 

- Wib) = {x \ 3e,(x=p] e) e b}, 

- KV(Z>) = {x I 3n,e, {x =[„] e) e b}. 

Proposition 41 If{b\,b2) is syntactically correct, then FV(foi) # UV(Z)2). 

Definition 42 For aU generalized contexts y = {H ; a ; a \ q), and correct bindings b, we 
say that b justifies 7, and write Z> h 7, iff: 

- FV(7) C FV(fo), and more specifically, 

- supp(c7) C UV{Z?), 

- supp(g) C KV(fc). 

Lemma 43 Assume a correct binding of the shape {bi , b2) and two generalized contexts 
Yi = (Hi ; a,- ; a,- ; q), such that bi h Yi.for i=l,2. If moreover Captn(ai) = 0, then yx^Ji 
andb\,b2 I- 7i ® 1^. 



Proof First, the four involved substitutions have as supports the domains of pairwise disjoint 
parts of b\ , Z?2, hence have pairwise disjoint supports. Furthermore, since b\ , Z?2 is correct, bi 
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makes no (forward) reference to UV(Z)2), hence supp(02) # FV(yi). Thus, Captn(0!i) being 
empty, we have yi ^72. 
Furthermore, we have 

FV(7i ®^) C FV(yi)UFV(]^) C FV(Z7i) U FV(fe2) = FV(Z7i,i2). 

By a similar reasoning on substitutions, we obtain bi,b2^ Yi ®T2&s desired. □ 

Lemma 44 Assume a correct binding of the shape {b\,b2,bT,) and three generalized con- 
texts Ji = {Hi ; a,- ; (7/ ; q), such that bi h 7, for i= 1, 2, 3. If moreover Capt^ (a,) = 0, /or 
! = 1,2, r/jen {Yi®'Yi)®yi and yi ® (l^ ® ■ys ) are defined and equal. 



Proof By the previous Lemma, we obtain Y\ Yi b\^b2 l~ 71,72, hence by the same 
Lemma, (71 ® 72) >- 73. Symmetrically, 71 ;^ (l^ ® Ji). Thus, both sides are defined at the 
same time. Equality is then a simple check. □ 



5.7.5 Generalized context application 



We have seen that the top-level binding will be translated as a generalized context. We will 
then fill the context hole with the translation of the rest of the expression, using generalized 
context appUcation, which we now define. 

Definition 45 (Generalized context application) For every generalized context j= {H ; a ; 
a ; q) and configuration C = Re c//' in £, let j[C\ = {Kec{q o a)(H,H')i.ii{q o a){a[E])) 
be the application of yto C, provided Aom{H') # dom{H) U cosupp(<7) U cosupp(^) (which 
may always be reached by structural equivalence). 

Example 46 Consider again the binding {by,b) from Example 37. Its translation is ® 71 ® 
Yi, which is exactly y = {Ho \ Oo \ \ q o g^^), with 

-the heap ffo^(^r//,,^;^„) 
- and the context Oq = let B in □. 

If, for instance, 7 is filled with a configuration RecT/inZi, if the conditions for the 
generalized context application are met, we get 7[Rec// in E] = Rec a{HQ,H) in cr(ao[£']), 

fxs^e', \ 



where a = {q o q^ o Ob^) . 



X\ ,X3 Xq 
X2 ^ £, 

\^ X4 1— > £ y 



We now prove the equations that had motivated the definition of generalized context 
composition. 

Lemma 47 For all composable generalized contexts Yi = {Hi ; a,- ; CT,- ; and configuration 
KecHinE, if dom{H) # Aom{H\,H2), then 

(71 ® l^)[RecHin£] = Rec ((gi + 52) o 

{qioq2{ai)oq2oa2){H2,H) 
in((gi + 52) o C7i)(ai[(g2 o a2){a2[E\)]). 
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Proof First, by J\ y Ji, we have VM{H\) # supp((72), so ((^i + qi) oa\o ai) {Hi) = ((^i + 

gi) o <yi){Hi). 

Furthermore, ?i + ft = ?i ° ft- But by yi y 'Yi again, we have supp(ft) # supp(CTi). So 
by Lemma 30, 5200-1 = fc(c5-i) o ft. This gives ((ft +ft) o CTi o a2){H2,H) = (ft o ft(c5-i) o 

g2 0CJ2)(^^2,^^). 

Now, by composabiUty again, Captn(ai) # FV(<72) U FV(ft). But FV(ft o 02) Q 

FV(ct2) U FV(g2), so Captn (ai) # FV(g2 ° 02). By Proposition 33 and the above, this yields 
(g2 o cT2)(ai[a2[£]]) = ((^2 ° CT2)ai)[(g2 ° a2){a2[E])]. 

But supp(o-2) # FV(ai) and 52 o 52 = ^2, so ((52 o cj2)ai)[(g2 o CT2)(a2[£'])] = 
(ft(o!i))[(ft ° ft ° C72)(a2[£'])], hence by Proposition 33 again, this is equal to 
ft(ai[(fe o (T2)(a2 [£■])])• Thus, ((gi +52) o cJi o C72)(ai[a2[£]]) is indeed equal to 
(gi o 52(^1) o g2)(«i [(Q o C72)(a2[£'])]), which is in turn equal to ((gi + g2) o <7i)(ai [(g2 o 
a2)(a2[£])]), as desired. □ 



5.1.6 Weak composition of generalized contexts 

Although the notion of composition of generalized contexts is needed to properly translate 
size-respecting bindings, it is somewhat inconvenient to reason with. For instance, the usual 
equation (71 ® Y2)[C] = Yi[Y2.[C]] obviously does not hold in general: the variable alloca- 
tion of 72 may affect 71 in (71 ® ')^)[C], but not in 7i[7i[C]]. Nevertheless, when 71 and y2 
stem from distinct bindings with no defined variable in common, we recover more standard 
properties. More generally, we define the following notions of context interference and weak 
composition, which take advantage of such cases in the following sense: weak composition 
has more standard properties than ®, and coincides with it when the considered contexts do 
not interfere. We first define weak composition and show that it satisfies the equation above. 

Definition 48 (Weak composition of generalized contexts) Given 7 = (//,■ ; a,- ; (7,- ; g,), for 
i = 1,2, if 7i 1^ is defined, we define 71 o ^ = {{H\,H2) ; a\[a2] ; (gi o (Ji o g2 o 02) ; id). 

Proposition 49 For all 71 , y2, and C, (71 o ^) [C] = 71 [^2 [C]], when the former is defined. 

Proof By definition of weak composition and generalized context application. □ 

Now, we define context interference, and state the expected result. 

Definition 50 (Context interference) Given two generalized contexts 7 = (//,■ ; a,- ; a-, ; g,), 
for i = 1, 2, let us say that the pair (the order matters) (71 , y2) interferes iff supp(g2) intersects 
FV((7i), so that g2 o Oi and <7i o g2 are not necessarily equal. 

Proposition 51 7/'supp(g) # FV(ct), then (g o ct) = (c7 o g). 

Proof Since g is a variable allocation, cosupp(g) # supp(CT), by which the result follows. 

□ 

Proposition 52 For all 71 and J2, Ti ® 72 and 71 o -j^ are defined at the same time, and if 
{yxiji) does not interfere, then (71 ®y2) = (71 o ■)^). 



Proof By definition of composition and interference. 



□ 
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5.7.7 Preservation of some reductions inside generalized contexts 

In this section, before presenting the top-level translation, we collect two small results about 

preservation of certain reductions inside certain generalized contexts. 

First, we remark that not every reduction is preserved inside generalized contexts, since 
for instance, rules LETa and EMPTYLETa are only valid at top-level. However, inside gen- 
eralized bindings, reduction is preserved. Note that every generalized dummy allocation is a 
generalized binding, so the following result also applies to generalized dummy allocations. 

Proposition 53 For all Ci , C2, and jS, ifCi — > C2, then j3 [Ci] — > j3 [C2]. 

Proof By case analysis on the applied rule. □ 

Moreover, we note that rule ALLOCa is preserved by generalized context application. 

Proposition 54 For all generalized contexts y, and configurations C and C', ifC > C', 

then y[C] y[C']. 

Proof Follows from composability of allocation contexts: for all a\ and tti, (Zi [0:2] is an 
allocation context. □ 



5.1.8 The top-level translation 

We now present the top-level translation [ J™'', defined in Figure 27, as a function from Ao 
(a-equivalence classes of) expressions to Aa configurations (it is well defined). As explained 
above, generalized bindings are used to record the already translated definitions along the 
translation of top-level bindings, preserving the distinction between variable allocations g 
and ordinary substitutions a. Variable allocations that must alter previous translations are 
those generated by the translation of a =[„] definition, since only those can be forward 
referenced. 

We first define the top-level translation without checking the validity of the involved 
generalized context compositions. They are checked shortly afterwards. 

The top-level translation handles the size-respecting part of top-level bindings with the 
function Top. This function expects a size-respecting binding. When its argument is the 
empty binding, it returns the empty generalized binding. For non-empty bindings, the def- 
initions are translated as sketched above. For a definition of unknown size x =[?] v, v is 
translated by [-J to Rec// in V , and is included in the translation as the generalized binding 
(// ; □ ; y] ; id). A definition of known size x =[„] v is translated into a heap and a 
variable allocation: v has a translation of the shape Recffin i, and it is included in the trans- 
lation of foy as (// ; □ ; id ; [x^ I']). The top-level translation of an evaluated binding is the 
composition of the translations of its definitions. If the result is some (//;□; (7 ; g), then 
the variable allocation is applied after the ordinary substitution, which allows the correct 
treatment of forward references, as sketched in Section 5.1.3. 

The two other functions, TDum and TUp, are defined as announced in the beginning of 
Section 5.1.3. The three functions return generalized contexts: TDum returns a generalized 
dummy allocation (/f ; □ ; id ; q), TUp returns (// ; B ; id ; id), which (by the notation of 
Section 5.1.3) is {H ; let S in □ ; id ; id) if 5 / £, and (ff ; □ ; id ; id) otherwise. 

In case the whole binding [by^b) is evaluated (i.e., b is empty), the contexts for pre- 
allocation and update, TDum(Z?) and TUp(Z7) are empty, and [rec Z?v,^ in ej™*" is [ej. 
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TOP — 



[b] ™'' [Rec e in [ej] ifb is not size-respecting 
[e] if e is not of the form rec b in e' 



TOP 



[KM 



TOP 



TDum(fe) ® Top(&„) ® TUp(fe) 

where does not begin with a 
size-respecting definition. 



Top(x =|,] v) = (H ■,n;[x^V];\d) if [vj = Rec // in V 
Top(x =[„] v) = (//;□; id ; [x ^]) if [vJ = Recif in i 

and size(v) = n 



Top(e) EE (e ; □ ; id ; id) 

Top(x«v,i)„„) = Top(x«v) ® Top(/)„„) 



TDum(e) = (e;a;id;id) 

TDum(;i:=[7] e,b) = TDum(i)) 

TDum(;c=[„] e,6) = ((£ = allocn ; □ ; id ; ^])) o TDum(fe) 



TUp(e) 



{e ; □ ; id ; id) 



TUp(;c=[,| = (//;(x = £.Update(fo));id;id) 

if [ej =Rec//in£ 
TUp(x=[„] = (i/ ;(.= (update ;i:£:),Update(6)); id; id) 

if [eJ ^RecffinE 

Fig. 27 The top-level translation from Ao to Aa 

put in the context Top(by). Otherwise, [rec by, h in e]^'^^ is Recein[e|, put in the con- 
text TDum(fc) (i) Top(Z7v) ® TUp{b). Notice that there is no context interference, since 
the innermost one, TUp(fe), does not have any variable allocation, and the outermost one, 
TDum(fc), has no substitution (but only a variable allocation). So, we could equivalently use 
TDum(fc) o Top{by) o TUp(fo). We have two easy results on answers and faulty terms: 

Proposition 55 The function [■J™'' maps answers to answers. 

Proof A simple case inspection. □ 

Proposition 56 For cq of one of the shapes in (3) of Proposition 7, [eoj™'' is faulty. 

Proof By case inspection. □ 

Finally, we prove that all the generalized context compositions we use are well-defined 
and associative. 

Proposition 57 For all b, x, v, and b^, the following hold 



b\-TDum{b), b\-JUp{b), 
X o V I- Top(x o v), and b^ h Top{bv). 



As a corollary, all the possible generalized contexts resulting from the top-level trans- 
lation may be composed (by Lemma 43) in an associative fashion (by Lemma 44). This 
justifies the absence of parentheses in the definition. 
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5.2 Quotient of Aa 

In this section, we relate the three translation functions |-|, [-J, and [-J™^: we show that 
their results are equivalent modulo the rules UPDATEa, LETa, EMPTYLETa, WEAKGCa, 
and ALLOCa- So, letting Aa be the quotient of Aa modulo these rules, we obtain that they 
are equal as functions from Ao to Aa- Then, we study the compositionality of this function. 

Definition 58 (A a) Define =a as the smallest equivalence relation over Aa containing the 
rules UPDATEa, LETa, EMPTYLETa, WEAKGCa, and ALLOCa- Let A a be the set of =a- 
equivalence classes. Let reduction in Aa, written — >a, be defined by the rules: 



where R ranges over the other rules (BETAa, PROJECTa, LiFTa, and IMa). 
Define =alloc. Q =s to be Aa convertibility by rule ALLOCa. 

We obtain that A a and Aa behave identically: 

Lemma 59 For all C, C reduces to an answer, loops, or is faulty in Aa ijfit does in A a. 
Proof We show the following: 

1. If C — >* A, then C — >a* repr(A). The reduction sequence in Aa is one in Aa where 
some steps become equalities. 

2. Conversely, a reduction sequence to an answer in A a corresponds to a sequence of re- 
ductions and anti-reductions in Aa, which by strong commutation (Lemma 12) lead to a 
sequence of reductions. 

3. If C loops in Aa, then C also loops in Aa, because any infinite reduction sequence in- 
volves an infinite number of rules BETAa and PROJECTa. 

4. Conversely, we obtain from any infinite reduction sequence in A a an infinite sequence of 
reductions and anti-reductions in Aa, with an infinite number of BETAa and PROJECTa 
reductions and no such anti-reduction. By strong commutation, this yields an infinite 
reduction sequence in Aa. 

5. Finally, faulty configurations are the same in both calculi. 



5.2.1 Equating the three translations 

We first show that the three translations coincide as functions to A a. First, we have the 
following for the allocating translation. 

Proposition 60 For all v, \y\ = [vj™^. 



Ci =aC'i 



^1 '< f^i ^1 

Ci > C2 L-2 —a 



Ci >aC2 



□ 



Proof By definition of [-J 



TOP 



□ 



Proposition 61 Fora// v, (Rec£in|v]) =alloc, \y\- 



Proof Trivial for variables. For other values, apply Proposition 16. 



□ 



Proposition 62 For all e, (Rec e in |e|) = alloc. \e\- 
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Proof By induction on e, using Propositions 61 and 54. □ 

Consider now the top-level translation of bindings. It splits the bindings in two, cutting 
at the first non-size-respecting or non-evaluated definition. But of course, one could split at 
another point, provided the first part is size-respecting. Indeed, the first part is given as an 
argument to the Top function, which is defined only on size-respecting, evaluated bindings, 
whereas the second part is given as an argument to the TDum and TUp functions, which 
work as well on value and non- value definitions. 

Definition 63 (Partial translation) For all b = {bv,b'), let the partial translation ofb up to 
b^ be TDum(ft') o Top{by) oT\Jp{b'). 

The partial translation of b up to is its top-level translation, computed as if b' did not 
begin with a size-respecting definition. In fact, any partial translation is =a-equivalent to the 
top-level translation, as we now show, using the following properties of the functions TDum 
and TUp, and of substitution. 

Proposition 64 For all C = (Rec£in£), and b, Update(Z>)[C] =alloc. TUp(Z?)[C], using 
the notation of Section 5.1.3 for coercing bindings to generalized contexts. 

Proof By Propositions 62 and 54. □ 

Proposition 65 For all b, B, and E, 

Rec£in let Dummy(i>),S inE =a TDum(i') [Rec£ in let B in£]. 

Proof By induction on b and rules ALLOCa and LETa. □ 

Proposition 66 For all V, a, and x ^ FV(ct), [x C7(V)] o a = a o[x^V]. 

The key lemma (67) then states that the in-place update machinery indeed computes the 
expected recursive definition. Hypothesis 17 is crucial here, ensuring that the update is valid. 

Lenuna 67 For a// C = Rec £ in £ and size-respecting b^^ = {bv,xo v), it holds that 

(TDum(xov) o Top{b^) oTUp{xo v,b))[C] 
=a (Top(/7,„)oUpdate(/7))[C], 

using the notation of Section 5.1.3 for coercing bindings to generalized contexts. 

Proof Let 4 = TDum(xo v) = {H^^c ; □ ; id ; qdx) and jS/,„ = Top(fcv) = ; □ ; C^.^ ; Qb^). 
Let also Q = 5^ o jS^^ oT\ip{xo v,b)[C\ andCi = (Top(;7vJ o Update(Zj))[C]. 

First, we have Top(&vo) — i^^v ® Top(a; o v). 

Then, we proceed by case analysis onxov. 

- {xov) = {x =[„] v) with size(v) = n. Then, v is not a variable. Thus, by definition of 
[•J, [vj has the shape Rec£ = S±-q.I, for some i ^ FV(5). By a -equivalence, we may 
choose another fresh location i' such that [vJ = (Rec£' = Si.nt'). It then holds that 

= {( = alloc n) and Qi^ = [jc i— > £], for some £. 
Let <Ti = (fe + ) ° o^, • We have: 

Ci = (Rec£ = alloc «,f = ai{S),ai{HhJ 

inlet _ = update £ £' ,ai{Update{b)) in (71(E)) 
=a (Rec^ = cJi (S),£' = cJi (5), CTi {Hi, J 
inlet 0-i(Update(fc)) in ai{E)) 

(by rules UPDATEa and LETa), 
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because Size(CTi (5)) = Size(5) = size(v) = n = Size(allocn), by Hypotheses 10 and 17. 
But then, i' is unused, so the obtained configuration reduces by rule WeakGCb to 

C'l =Rec£ = CTi(5),cri(//iJin CTi(let Update(^) in£) 
= {{£ = S,Hi„ ; □ ; C7i„ ; (5^^ + giv)))[Recein let Update(Z7) in£] 
= (Top(^?vo) ° Update(fo))[C] = C2. 

- (jc o v) = (x =[7] v). Then, 5^ = (e ; □ ; id ; id). Let [vj = RecH^ in V. We have Top(;c o 
v) = {H,. ; □ ; [x^ V] ; id). 

Now, let //i = Hy,Hi,^ and cJi = gi,^ o Oh^. We have C\ = RecCTi{//i) in CTi(let x = 
V, Update(^?) in E). By rule LETa, we have 

Ci =aRecCTi(//i)in[xi-^ CTi (y)](CTi (let Update(fc) in£)). 

But bi may not contain forward references to definitions of unknown size, so the defini- 
tions of cannot depend onx. So, ai(//i) = [xi-^ CTi(V)](cti(//i)), and moreover, by 
Proposition 66, we have [x Oi (V)] o Oi = Oi o [xi-^V]. So, the obtained configuration 
is equal to Rec (ai o [x 1-^ V]){Hi) in(c7i o [xi-^ y])(let Update(Z?) in£), which is C2, 
since aio[xi-^V] = g^^ o (ct^^ o [x V]). 

□ 

We then obtain the following. 

Lemma 68 For all by,by^,b, and C = ReceinZs, if {by,by^) is size-respecting, then 
(TDum(/7vJ o Top(Z7,) o TUp{b,„,b))[C] =a (Top(^v,^vo) ° TUp(&))[C]. 

Proof By induction on Z>vq. The base case is obvious. For the induction step, assume that 
Z>v(, = {xov,by^). We have TDum(/7vo) = TDum(xo v),TDum(fcv|). By Lemma 67, 

{TDum(xo v) o Top(Z?v) ° T\Jp{x o v,byi,b))[C] 

=a (Top(fov,^ov) o Update(fovi,*))[C] 

=a (Top(Z>v, Jc o v) o TUp(Z>vi ' ^)) [^] C^y Proposition 64). 

This obviously gives (using Proposition 49) 

(TDum(xc> v,/?vi) ° Top(/?v) ° TUp(xo v, fovi,fe))[C] 

= TDum(^>v, ) [(TDum(x ov)o Top(fov) o TUp(x o v,by^,b))[C]\ 

=a (TDum(&vj) oTop(&v,.^:ov) oTUp(Z?vi,^))[C]. 

By induction hypothesis, we obtain 

{TDum{by^) oJop{by,xov) oTUp{by^,b))[C] 
=a(Top(fev,^JoTUp(&))[C], 

which gives the expected result. □ 

Lemma 69 For all b and E, 

Receinlet Dummy(Z7), Update(^) ini? =a L^'J™''[Receinii]. 
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Proof First, if b is empty, then the results holds by application of rule EMPTYLETa, which 
is included in =5. 

Otherwise, we have 

Receinlet Dummy(fe), Update(&) in£ 

=a TDum(fo)[Rece in let Update(Z>) in£] (By Proposition 65) 
= TDum(Z?)[Update(Z7)[C]] (For C = Recein£) 

=a TDum(Z7)[TUp(Zj)[C]] (By Proposition 64) 

=a (TDum(Z>) o TUp(Z>)) [C] (By Proposition 49). 

Now, h may be decomposed as = {by^^fy)), where does not begin with a size- 
respecting definition. By Lemma 68 with b^ = e, we have 

(TDum(^o) o TUp(^o,&o))[C] =a (Top(^o) o TUp(Z.o))[C], 

which gives 

TDum(^?) oTUp(/7))[C] 
= TDum(Z7vo,fco)oTUp(fevo,fco))[C] 

= TDum(Z)o)[(TDum(fcvo) ° TUp(^'vo,^o))[C]](By Proposition 49) 
=a TDum(foo)[(Top(^'vo) ° TUp(fco))[C]] (By Proposition 53) 
= (TDum(Z?o) o Top(^7vo) ° TUp(l7o)) [C] (By Proposition 49) 
= L*J™''[C] (By definition of [•J™''). 

□ 

Corollary 70 For all b and e, Rec £ in |rec b in e] =5 L^J ™'' [Rec £ in |e]|] . 

Finally, the following lemma states that the three translations [•], [ J, and [ J™'' are 
equal as functions from Ao to Aa- 

Lemma 71 For all e, it holds that (Rec£in|e]) =a [ej =a L^J™*"- 

Proof Proposition 62 directly implies (Rec £ in =a [cj . 

To prove [e\ =a [eJ™'', we proceed by case analysis on e. If e is not of the 
shape recfoine', then the result follows by definition of [•J™''. Otherwise, by Corol- 
lary 70, we have [eJ = Recein|rec ^ in e'] =a [i)J™''[Rec£in|e']], SO we just have 
to prove [/7j™''[Recein|e'|] =a [rec in e']™"". If b is not size-respecting, then the 
result holds by definition of [•J™''. Otherwise, we have [rec /? in e'J = [i"] [ [e'J ] . 
But by Proposition 62, (Recein|[e']]) =ALL0Ca [^'Ji so by Proposition 54 we obtain 
[Z?J™^[[e'J] =alloc. [^J™^[Rec£in|e'|], which gives theexpectedresult. □ 

5.2.2 Compositionality 

For proving that the evaluation of an expression in Ao corresponds to the evaluation of its 
translation in Aa, we seek compositionality properties of our translations. The standard trans- 
lation is obviously compositional, in the following sense. 

Definition 72 (Standard translation of contexts) Define |E| by extension of |-| on expres- 
sions, with |nj = □. 



Proposition 73 For all E and e, |E[e]l = [E] [[e]] . 
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Gen(RecHin <p) 

l^jrjTOP 

[recfcvinFJ™"" 
[rec bs,,x<>W,b inej 



TOP — 



(ff ; (p ; id ; id) 

Gen(LFJ) 

LfevJ™-oGen(LFJ) 



TDum(xo¥,b) oTop(by) oTllpy^{xo¥,b) 
= (i/ ; let f = 9,8 in £ ; id ; id) 

if TUp(;c oV,b) = {H -,{1 = (p,B) ; id ; id) 



Fig. 28 Top-level translation of contexts from Ao to Aa 



Proof By trivial induction on E. 



□ 



However, we have seen that |[ | does not lend itself to a simulation argument, so we con- 
sider the compositionality of [ J™''. We obtain below in Corollary 77 that for all expressions 
e and evaluation contexts E, [E[e]J™'' =a [Ej™''[[eJ]. This is not exactly what one could 
have hoped for ([E[e]J™'' =5 LEJ™''[[eJ™'']) but it will be enough to prove correctness of 
our translation. 

Figure 28 defines Gen(Rec//in (p) as the obvious generalized context made of H and 
(p, using the fact that nested lift contexts are allocation contexts. Then, define [-J on nested 
lift contexts by extension of [-J on expressions: we consider □ not to be a value, and put 
[□J = Recein □. For any F, the translation [FJ™"" has the shape RecHtncp for some H 
and (p. This gives 

Proposition 74 For all F, Gen( [FJ ) is a generalized evaluation context. 

Proof By induction on F and case analysis on lift contexts. □ 

Figure 28 then defines the translation of evaluation contexts. The translation TDum(xo 
F, b) has no hole; TUp{xo¥,b) has two: one from F, plus one for the body of the returned 
let-binding (present for any TUp(fc)). The special notation TUpe(x o W,b) fills the latter 
with E. We obtain the following immediately. 

Proposition 75 For all E, [EJ™*" is a generalized evaluation context whose variable allo- 
cation is id. 

Proof By case analysis on E and Proposition 74, [EJ™^ is a generalized evaluation context. 
By case analysis, we then prove that its variable allocation is id. If E is a nested lift context, 
then by definition of Gen, it is the case. In both other cases, [EJ™"" is defined as the weak 
composition of more than one generalized evaluation context, which by definition has id as 
its variable allocation. □ 

This allows stating the expected compositionality result. 

Lemma 76 For E = □ and all e, LE[e]J™'' = [Ej™''[[eJ™''l. 
ForE^D and all e, ife ^ values, then [E[e]J™'' = LEj™''[LcJ]- 
For all E and v, LE[v]J™'' =5 LEJ^^M]- 

Proof The first point is trivial. The second is obtained for lift contexts first (by a simple case 
analysis), then for nested lift contexts by straightforward induction, and finally by case anal- 
ysis on E. As for the last point, if □ is replaced with a value, it may permit the allocating and 
top-level translations to perform more administrative reductions, as for instance in contexts 
of the shape e □. The proof uses Lemma 68. □ 
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Corollary 77 (Weak compositionality) For all E and e, LE[c]J™'' =a LEj™''[LeJ]. 

Full compositionality does not hold: [E[e]J™'' is not always =a-equivalent to 
j^]gjTOP||^gjTOPj 'Yhs reason is because =a does not include rule IMa, as shown 
by taking E = (rec;ic =p] ninx) and e = (recy =p] iX = z},z' =p] y.X ±ny). In 
this case, [E[e]J™'' = (Receinletx = (let y = iX = z>,z' = y.X in y) in x) , and 
[Ej™''[[eJ™''] = (Rec^ = iX = z>inletx = (let z' = i.X ini) inx). An application 
of IMa is needed in order to relate them. 

Further quotienting A a by this rule might lead to full compositionality. Moreover, we 
think that it would preserve the good properties of the translation. In particular, Ao reductions 
by rule IMo cannot be infinite, so non-termination would remain correctly simulated by the 
translation. However, this is not needed to complete our correctness proof, so we did not 
investigate it. 

5.3 Quotient of Xo 

We now define Ao, based on the following notions of binding scraping bp{x) and context 
scraping E*(v). The intuition is that E*(x) does much the same work as iterating the rule 
SUBSTo until a non-variable value is foimd. Below, we use it to replace rule SubsTo, in the 
case where E is dereferencing. In such cases, if there is no non-variable value for x, then 
E[x] is faulty, so we do not have to consider it. Technically, E*(x) is then undefined. 

Example 78 Let = (x =[9] Xx'.xf,y =[7] x) and consider e = (rec bv in {y {>)). In order to 

reduce to e' = (rec by in((Ax'.x') {>)), e takes two SuBSTo steps. In Ao, we will directly 
replace y with (rec fcy in ^)*{y)^ which is Ax'.x', and perform the BetAo step on-the-fly. 

Definition 79 (Binding scraping) For all sets P of variables, bindings b (not necessarily 
size-respecting), and variables xedom{b), define binding scraping recursively by: 

bp{x) = b{x) if b{x) ^ vars or b{x) G vars\dom(&) 

bp{x) = cycle if b{x) £ dom(fc) HP 

= %}uP)(*W) if e dom(fc) \P. 

For all such b and x, if b^{x) ^ cycle, define b*(x) = /'^(x). 

Definition 80 ( Context scraping) 

Define E*(x) = (Binding(E))*(x) if x e dom(Binding(E)) 
E*(v) = vifv^ varsorvGvars\dom(Binding(E)). 

Let us now prove elementary properties of binding scraping. 

Lemma 81 Binding scraping is well-defined, i.e., for all b and P, bp is a total fiinction. 

Proof Let the measure ^ be defined from pairs of a binding and a set of variables to natural 
numbers by n{b,P) = | dom(&) the cardinality of dom(ii) \P. 

First, we notice that if pL{b,P) = 0, then binding scraping immediately returns, on any 
variable x 6 dom(fo). Indeed, if b{x) ^ vars, it returns b{x). Otherwise, if the variable b{x) is 
in dom(i'), then it is also in P, so b*p{x) = cycle, and if the variable b{x) is not in dom(Z>), 
then b*p{x) = b{x). 

Then, as the measure decreases by 1 at each recursive call, we conclude that bp{x) is 
well-defined for any x e dom{b). □ 
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Proposition 82 For all b,P,y, andx G 6om{b), ifbp{x) = y, then y ^ dom{b). 

Proof By induction on the proof of b*p{x) = y. The base case is when b{x) = y and y ^ 
dom(Z?), which gives immediately the expected result. The induction step is when there 
exists z G dom (ii) \ P such that b*^^^^p (z) = >>. By induction hypothesis, this gives y ^ dom {b) 
as expected. □ 

We now define Ao as having the same expressions as Ao, but a different reduction rela- 
tion, written — >5. 

Definition 83 Let the merging E(rec b in e) of rec bine into the context E be defined as 

- rec in e if E = □, 

- and otherwise the result of normalizing E[rec b in e] w.r.t. rule CONTEXTo/LiFTo, plus, 
if E had a top-level binding, applying IMo or EMo once. 

Note that the capture-avoiding side conditions of Definition 83 are always satisfiable by 
bound variable renaming. 

Then, we define — >o relatively to — > by removing rules BetAo, ProjecTo, and 
Subs To, and adding the following three rules: 

Beta'„ Project'^, 

E*{vo)=Xy.e E*(vo) = {r} 



E[vo v] — ^5 E{rec y =p] v in e) E[vo.X] — >o M[r{X)] 

Update! 



^v*(3')=^' size(v) 



: n 



rec b^,x=^„] y,b ine — >o rec bv,x =[„] v,b in e. 

Observe that all Ao rales are simulated in Ao, except rale SUBSTo. Indeed, rales 
BetAo and ProjecTo are special cases of rales Beta^ and Project^,. Rule SubsTo, 
albeit not directly simulated, yields a simulation w.r.t. our obserables: evaluation answers, 
non-termination, and faultiness, as we now show. 

Lemma 84 For all D and by = Binding(D), for all x e vars, v ^ vars, and finite sets of 
variables P, if x ^ P and by*p{x) = v, then there exists a value v' such that J]>{x) = v' and 
B[v'] — >* D[v]. 

Proof We proceed by induction on the proof of bvp{x) = v. 

- If bv{x) G vars\dom(/?), then by*p{x) ^ v, contradiction. 

- If by{x) = V, then, taking v' = v, we have D(x) = by{x) = v and D[v] — >* D[v] by 
reflexivity, as expected. 

- If by{x) G 6om{b) DP, then by%{x) = cycle, contradiction. 

- If by{x) e dom(&) \P, let >■ = by{x). We know &v{4up(>') = v,soy^ {x} UP. Thus, by 
induction hypothesis, there exists a v" such that B(>') = v" andD[v"] — >* D[v]. But then, 

D[v"] — >* D[v]. So, taking V = y, we obtain D(x) = v' and D[v'] — >* B[v]. 



a 

Lemma 85 For all D,x, and v ^ vars, ifO[x] — >+ D[v] then D*(x) = v. 
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Proof By Lemma 84, there exists v' such that D(a:) = v' and D[v'] — >* D[v], which imme- 
diately gives the expected result. □ 

Finally: 

Lemma 86 For all e, ife reduces to an answer, loops, or is faulty in Ao, then so it does in 

Proof The lemma says: 

1. if e — >* a, then e — >o* a\ 

2. if e loops in Xo, i.e., there exists an infinite reduction sequence starting from e, then e 
also loops in Ao ; 

3. if e is faulty in Ao, then it is also faulty in Ao. 

First, consider a reduction sequence from e to a normal form ei in Ao. We prove by 
induction on its length that 

- if ei is an answer, then e reduces to an answer in Ao, and _ 

- if ei has the shape D[v], i.e., e is faulty in Ao, then e is faulty in Ao too. 

The base case is trivial. For the induction step, if the first reduction step in the given se- 
quence is not SuBSTo, then it is simulated in Ao, so we get the expected result by induction 
hypothesis. Otherwise, e = B[jc] and the first step has the shape D[x] — > D[v], with v = B{x). 
Consider the maximal subsequence of the given reduction sequence having the shape 

irar 1 — irar 1 SUBSTo , SUBSTo SUBSTo „r , 

D[x\ = D[voJ > D[viJ > . . . > 0[Vn\ 



with each v,- ^ v,+i, i.e., rule SubsTo appUes each time at D. Thus, n > 0, and for i < n, v,- 
is a variable. 

Now, if D[v„] is an answer, then D has the shape rec ]B=|^| in v' with size{v„) = m, hence 
e — >o ei by rule Update^. 

Otherwise, if D[v„] is not an answer, but is actually e\ , i.e., is in normal form, then D[x] 
is in normal form in Ao and not an answer, hence faulty in both calculi. 

Otherwise, if D has the shape rec B=, „ in e' for some n' , ]B=, , and e', then e — >o IDfv„l 

^ [n ] [« ] *■ 

by rule UpdateJ, in Ao, and we conclude by induction hypothesis. 

Otherwise, D[i'„] further reduces by one of BetAo and ProjecTo, and then the cor- 
responding rule (Beta'o or ProjecTo) applies in Ao, and we again conclude by induction 
hypothesis. 

Finally, to show that non-termination is preserved, given an infinite reduction sequence 
in Ao, build one in Ao by the same algorithm: if the first step is not SubsTo, then it is 
simulated directly, otherwise, consider the maximal subsequence of SubsTo steps. □ 

We now quotient Ao by EMo and Update'o to obtain Ao. 

Definition 87 (Xo) Define =o as the smalles^equivalence relation over Ao containing the 
rules EMo and Update'o . Let the terms of A o be the set of =o-equivalence classes. Let 
reduction in Ao, written — >o, be defined by the rules: 

/ I R I I 

ei =061 ci — >-e2 ^2 =062 
ei >-e2 



where R ranges over the other rules (LifTo, ContexTo, IMo, Beta'o, and Project'o). 
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We now show that Ao simulates Ao, and that [•J™'' remains well-defined as a function 
from Xo to Aa. For this, we prove that rules EMo and UpdateJ, preserve [■J™'' (modulo 
=a, which A a is quotiented by) and that infinite Ao reductions can not exclusively contain 
EMo or Update'^ reductions. For each of these two rules, we start by defining a measure, 
and show that each rule makes its measure strictly decrease, and preserves the top-level 
translation. We start with EMo. 

Definition 88 (Number o/rec nodes) Nbletrec(e) is the number of rec nodes in e. 

Lemma 89 (External mei^ng) For all e and e', if e e', then Nbletrec(e) > 
Nbletrec(e') and [ej™^ =a KJ™'"- 

Proof Let e = rec in rec b in eg 
and e' = rec bv,b in eg. 
Obviously, Nbletrec(e) > Nbletrec(e'). Furthermore, we have 

[ej™^ = Top(i>v)[Rec£inlet Dummy(^?), Update(i>) in|eol]- 

If b is empty, after applying rule EMPTYLETa (which is in =a), the configuration becomes 
Top(Z7v)[Rec£in|eol], which is =a-equivalent to Top{£'v)[LeoJ] = L^'J™""- 

Otherwise, using Proposition 53, and after checking that Top(fev) is a generalized bind- 
ing, we have 

[ej™'' = Top(/7v)[Recein let Dummy(fo), Update(/7) in|eoI] 

=a (Top(Z7v) ° TDum(Z?))[Receinlet Update(&) in|eol] 

(by Propositions 53, 49, and 65) 

=a (TDum(fo) o Top(fov))[Rec£inlet Update(fo) in|eol] 

(by Proposition 52, since dom{b) # dorr\{by) U F\/{bv)) 

=a (TDum(Zj) o Top(Z7v) o TUp(^))[Rec£in|eoI] 

(by Propositions 53, 49, and 64) . 

But then, let b = {by^^b') with fe' not beginning with a size-respecting definition. We 
have 

(TDum(Z7) o Top(Z?v) o TUp(^)))[Recein|eol] 
= (TDum(/7v„,^'') °Top(^7v) oTUp(/7vo,^'))[ReceinIeoI] 
= (TDum(Z?vo) °TDum(fc') oTop(fcv) oTUp(fovo,fe'))[Rec£in|[eoI] 
= (TDum(^?') °TDum(l7vo) oTop(l7v) oTUp(|Pvo,^'))[Recein|eo]] 

(by Proposition 52) 

= TDum(fo')[(TDum(fcvJ oTop(i>v) oTUp(ZJvo,&'))[Recein[eol]] 

(by Proposition 49) 

=aTDum(Z^')[(Top(^v,^vo)oTUp(Z^'))[Recein[eol]] 

(by Lemma 68 and Proposition 53) 

= (TDum(Z)') °Top(fov,fcvo) °TUp(fo'))[Recein[eoI] 

(by Proposition 49). 

But if b' is not empty, then this last configuration is exactly [e'J™^. Otherwise, if b' is 
empty, then (TDum(Z?') o Top(i)v,^'vo) ° "'"Up(fo')) = Top(Z>v,^'vo) ^ generalized binding. 
But by Propositions 62 and 53, 

Top(fov,^vo)[Recein|eo]] =aTop(Z7v,^'vo)[M] = \_e' \'^°^ , 
which gives the expected result. □ 
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Next, we define a measure that strictly decreases by application of rule Update'^. 
Definition 90 We define Lengthy as follows: 

Lengthy (rec K,b±ne) = | dom(^?)| where b does not begin with a 

size-respecting definition. 

Length^(e) =0 if e does not begin with rec. 

The lemma for rule UPDATE^ requires the following properties of the top-level transla- 
tion, about how variables can be accessed in the translation of a binding. 

Lemma 91 For all x,v,H, a, g, and b^, ifJop^b^) = (//;□; cr ; and bv*{x) = v, then 
there exist and V such that [vj = Rec //y in V, {qoa) (x) = V and C H. 

Proof Weprovemoregenerally thatfor allx,v,//,(7,g,Pandi>v- if Top(Z?v) = (//;□; a ; g) 
and by*p{x) = v, then there exist and V such that [vJ = Recffv in ^> (? ° {x) = V and 
H^<ZH. 

We proceed by induction on the proof of Kp{x) = v. 

The base case amounts to proving the result with the additional hypothesis that by (x) = 
V. For this, we decompose by into b^^^^xo v,bv^. By definition of Top, we have Top(^Jv) = 
(Top(i>vo) ® Top(xo v) ® Top(Z>vi )). Let Top(i>vo) = {Ho ; o ; ao ; go) , and ^op{by^ ) = {Hi; 
0;ai; gi). 

- If V is a variable y, then Top(x o v) = {e ; O ; [x ^ y] ; id). Let Hy = e and V = y. We 
have CT = (ctq o [x i-^ >■] o CTi) and g = (go o gi). Furthermore, we know x ^ dom((Ji), 
and by Proposition 82, y ^ dom{by). This also gives y ^ dom(g) Udom(c7), because 
(dom(g) Udom((7)) C dom(fcv)- Thus (g o ct)(x) = (g o CTo)(}') = y, as expected. 

- If V is not a variable, then Top(xo v) = {Hi, ; □ ; id ; [x £]), with [vJ = RecHyini. 
Take V = £. We have g = (go o [x i-^ o gi) and G = (cto ° <^\)- But we know x ^ 
dom(c7) Udom(gi) Udom(go), so (g o ct)(x) = (go o [x i-^ ^■]){x) = I = V as expected. 

For the induction step, assume by{x) = y and ^v{x}uf (3') = ^- Then, b^ has the shape 
{byg,x o y,by^) for some by^,by^. By definition of Top, we have Top(Z7v) = (Top(Z7vo) ® 
Top(x oy) ® Top(Z?vi ))• Let Top(fcvo) = {Hq ; a ; Oo \ go), and Top(/7vi ) = {H\ ',0 \ Oi ; 
gi). We know that H = {Ho, Hi), a = (ob o [x i— > o <7i) and g = (go o gj). By induction 
hypothesis, there exist Hy and V such that [vJ = Rec/Zy in V, Hy C H, and (g o C7)(>') = V. 
Thus, there only remains to prove that (g o a){y) = (g o a){x). 

- If y e dom(/7vi ), then, since by contains a forward reference from xtoy,y has a known 
size indication in by. So, y e dom(gi), hence y ^ dom(c7). Thus, (g o cj)(3') = g{y) = 
(g o <7o o [x y]){x) = (g o a){x). 

- Ify^ dom(&vi), then (g o <7)(3;) = (g o <7o)(3') = (g o <7o o [x^y]){x) = (g o a){x). 

□ 

Lemma 92 For all E,x,H, , a, and v ^ vars, ;/ [EJ™"" = {H ; t, ; a ; id), and E*(x) = v, 
then there exist Hy and £ such that [vJ = Rec/Zj, in £, g{x) = £ and Hy C H. 

Proof By case analysis on E. First, if E is a nested lift context, then v = x and x ^ dom(<7), 
which gives the expected result. 

If E = (rec by in F), then [EJ™'' = Top(fov) o Gen( [FJ ). But by definition, Gen( [FJ ) = 
{H' ; 9 ; id ; id) for some H' and (p. So, a = Subst(Top(i'v)), and we conclude by Lemma 91. 
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If E = {recb^,yo¥,bine), then [EJ™"" = (TDum(yoE,6) o Top(fov) « T\Jp^^j{y o 
¥,b)). Let TDum(y oF,&) = (//q ; □ ; id ; So), Top(&v) = {Hb^ ; □ ; ; gi,„), and TUp[,j{y o 
¥,b) = {//i ; ^ ; id ; id) (they have these shapes by definition). We have <7 = (^o ° ° 
H = (Hq,Hi,^,Hi). By Lemma 91, we obtain Hy and £ (because v ^ vars) such that [vj = 
KecHy in£, //v ^ and o C7i„)(x) = £. Here, this immediately gives C 7?^^ C H 
and <7(x) = £. □ 

Update' 

Lemma 93 For all e and e', ife e' , then Length„(e) > Lengthv(e') and [ej™"" =5 

^g/JTOP_ 

Proof Obviously, Length^,(e) > Lengthy(e'). Furthermore, we have e = {rec{bv,y =[„] 

Update' 

x,b) ineo). Let ID) = (rec(by,y =[„] 0,b) ineo). Since D[x] ^ e', we have some 

non-variable value v such that by*{x) = v and size(v) = n. By Lemma 92, and letting 
[DJ™"" = (//;,§; CT ; id), we have [vJ = RecHyini such that H,. C H and a{x) = i. 
Then, let db = TDum{b) and = {£' = alloc « ; □ ; g,. ; id) = TDum{y =[„] □) for some 
location £', with g^, = [y i!']. Let 5 = 5y o 5;,, and Top(&v) = ; □ ; (7i ; id), such that 
HyCHiQH and <7 = Subst(5) o (Ji = Subst(5fe) o g^ o ai. 
We have 

[P[x]J™'' = (5 o Top(fcv)) [let . = update yA:,Update(Z7) in|eo]]. 
Buty ^ supp((7i), so 

[D[x]J™'' = (5oTop(^7v))[let . = update £' i,\Jpdate{b)±n M]- 

Furthermore, size(v) = S\ze{Hy{£)) = n, by Hypothesis 17, and moreover by construction of 
the translation, Hy only contains one binding. So, in fact, the update copies [vJ entirely, and 
the previous configuration reduces by UPDATEa and LETa to 

{5b o Top{b^,y =[„] v))[let Update(&) iii|eol]- 

Finally, by Proposition 64 and Lemma 68, this is =a-equivalent to [ro[v]J™'', which is ex- 
actly Le'J™^ 

□ 

We obtain that Xo simulates Xo, and hence also simulates Xo. 

Lemma 94 For all e, ife reduces to an answer, loops, or is faulty in Xo, then so it does in 

Xo' 

Proof The only non-trivial point is non termination. By Lemmas 89 and 93, and since 
UpdateJ, preserves Nbletrec, the lexicographic order (Nbletrec, Lengthy) stricly decreases 
by EMo and Update'^. Thus, there is no infinite reduction sequence in Xo involving only 
these rules. □ 
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5.4 Correctness 

We now have the tools to prove the expected correctness theorem. We first notice the fol- 
lowing useful property of E(rec in e). 

Proposition 95 For all E,Z>v,e, /fE(recZ)v ine) is defined, then [E(reci>v ine)]™"" = 



Proof By commutation of Top(i'v) with Gen( [FJ ), where F is the nested lift context part of 
E. □ 

Lemma 96 (Correctness) For all e and e', ife — >o c', then [ej™*" — ^a"*" L^'J™""- 

Proof We proceed by case analysis on the rule used. 

BetaJj There exist E, vo, and v such that e = E[vo v], E*(i'o) = Ajc.g, and e' = E(rec x =p] 
V ing). Let [vj = Rec/Zyiii^ and \Xx.g\ = RecHi in£ (with Hi = £ = Ajc.|g]). Let 
LEJ™-=(ff;^;<j;id). 

- If Vo = Xx.g, then 

LeJ™^ =a LEj™'[LvovJ] 

=a [E\'''"'[RecHuH,in£V] 

lE\''"''[RecHuH,in[x^V]{M)] 

=a LEJ™'[Rec//.,iii[x^y](H)] 

=a LEJ™''oLx=pjvJ™''[ReceinM] 

=^ LEJ™''oLx=p,vj™-[UJ] 

=a Le'J™'- 

- If Vo = y with E*(>') = Xx.g, then by Lemma 92 we have a location ^ = ^(y) such 
that H{£) = Xx-lgj. So we have 

=a LEJ™''[Rec//,inj.y] 
=a [Ej^'lRecTfvin^y] 
^a LEj™''[Recffvin[x^y]([gl)] 
=a [e'J™'' (as above). 

Project^ There exist E, vq, and X such that e = E[vo.X], and E* (vq) = {r} with r{X) = z. 
Let [{r}J = Rec//i in £ (with Hi=£ = {r}). The whole expression reduces to E[z]. Let 

LEjTOP=(ff ;^ ;C7;id). 

- If Vo = {r}, then 

Lej™- =a LEJ^^iLvo-xj] 

=a LIEJ™''[Rec//iinf.X] 

^a LEJ™''[Rec;/iinz] 

=a LEj™''[Rec£inz] 
=F LE[z]J™-. 

- If vo = >' with E*(>') = {r>, then by Lemma 92 we have a location £ = ^(y) such 
that H{£) = ir}. So we have 

W™" =s LEJ™^[b.^J] 

=a LlEj™''[Receini'.X] 
^a LEj™''[Rec£inz] 
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CONTEXTo with LiFTo We have e = E[ei], with e\ = L[rec b in eo], and e' = E[e2], with 
€2 = rec b in L[eo]. Let y = (// ; ^ ; cj ; id) = [EJ™'' and [LJ = (//l ; t?l ; id ; id). We 
have 

LE[ei]J™>' =a y[Rec//LinT]L[letDummy(^7),Update(^7)in|eol]l 
— >a y[Rec//L in let Dummy(Z>), Update(^?) in J7L[|eol]] 
=a y[RecSin|e2l] 

IMo We have e = rec in eo and e' = rec b' in eo, with = {bv,xo (rec &i in ei),b2), 
andb' = {bv,bi,xoei,b2). 

Let /3i,^ = Top(fov). bo = {xo (rec fo] in ei ), ^2) and fog = [x o e\,b2)- 

By definition of the translation, we have [rec in eoj™"" = TDum(Z7o) ° o 

TUp(i>o)[Rec£in|eol]. 

, , f (j:, □) if o = =-■,! 
Let now (t,a)) = {)' ' 

y (_, update X □) otherwise. 

We have 

[rec Zji ineij = (Rec£in|rec fci inei]) 

= (Receinlet Dummy(&i), Update(i>i) in|ei]) 
= Rec e in Zii . 

So [rec b ineoj™'' = TDum(Z7o) o jSi„ [Rec e in let f = ^[£1], Update(Z72) in|eol]. 
But this reduces by (maybe rule LiFTa and) rule IMa to 

TDum(i'o) o j3i,„[Rec£in let Dummy(£ii), Update(Z7i), 

? = 9)[|eil],Update(Z?2) 
in W]. 

But we recognize Update(Z>i , b'^), so the obtained configuration is equal to 

C = TDum(foo) ° jSfev[l^scein let Dummy(Z7i), Update(Z?i,&o) in|eol]. 

Then, by Propositions 53 and 65, we obtain 

C=aTDum(foo) °hy o TDum(Z?i) [Receinlet Update(foi,&o) in[eol]. 

But as 6om{bi) # dom(Z?v) U fy{by), this is equal to 

TDum(fol,Z7o) o jSi,„[Recein let Update(/?i , ^q) in|eol], 

which by Proposition 64 and Lemma 68 is =a-equivalent to [rec b' ineoj™'', which 
concludes the proof. 

□ 

This yields: 

Corollary 97 For all e, if e reduces to an answer, loops, or is faulty in Xo, then so does 
[ej™^-«la. 
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Proof Since [•J™'' maps answers to answers (Proposition 55), if e reduces to an answer, 
then so does [ej™''. Moreover, because Lemma 96 uses — >a^, if e loops, so does [ej™*". 
Finally, if e is faulty, then it reduces to a term cq in normal form of one of the shapes in 
Proposition 55, hence [ej™"" reduces to [eoj™"". which is faulty by Proposition 56. Hence 
LeJ™'' is faulty. □ 

We finally have: 

Proof (of Theorem 18) By composing Lemmas 86, 94, Corollary 97, and Lemma 59, we ob- 
tain the result for [ej™''. But [ej™'' =a |e] in Aa, hence they behave the same by Lemma 59. 

□ 



6 Related work 

Ariola and Blom [2] study A-calculi with let rec, in relation with the graphs they repre- 
sent. The Ao language presented here is mostly a deterministic variant of their call-by-value 
calculus. The main difference lies in our size indications, which specialize the language for 
efficient compilation. 

Lang et al [19] study A-calculi with sharing and recursion, resulting in the notion of 
Addressed Term Rewriting Systems. Unlike in Ao, cyclic data structures are represented using 
addresses: each node of a term is given an address, which can be referred to by a back 
pointer. Addresses can be shared among instances of the same term. Moreover, addresses are 
not bound in the considered term, whereas in Ao, rec does bind variables. Thus, addressed 
terms must satisfy a number of coherence conditions, which appear to be far from trivial. 
This explains our choice of Ariola et al.'s approach. 

Erkok and Launchbury [10] consider the interaction of recursion with side effects. In the 
setting of monadic meta-languages, Moggi and Sabry [23] devise an operator named Mf ix, 
with an operational semantics, which unifies different language constructs for recursion. 
This very interesting work is more abstract than ours, in the sense that it unifies several 
recursion constructs from both eager and lazy languages, whereas our work is specific to 
call-by- value. Also, we are not specifically interested in the interaction between recursion 
and side effects, although we treat it with care. Moreover, Erkok and Launchbury and Moggi 
and Sabry are not concerned with compilation. 

Another work on recursion, already discussed in Section 1.2, is Boudol's calculus [3]. 
From the standpoint of expressive power, this calculus is incomparable with Ao. On the one 
hand, the semantics of Ao, based on Ariola et al.'s work, allows to represent cyclic data 
structures such as let rec x = cons 1 x, while such a definition loops in Boudol's calculus. 
On the other hand, the unrestricted let rec of Boudol's calculus avoids the difficult guess 
of correct size indications. 

From the standpoint of compilation, Boudol and Zimmer [4] use a backpatching ap- 
proach, thus increasing the number of run-time tests and indirections. A similar backpatch- 
ing approach is used in Russo's extension of ML with recursive modules [27], implemented 
in Moscow ML, and in Dreyer's work on typing of extended recursion [8]. 

Syme [30] extends the F# language with generalized recursive definitions where the 
right-hand sides are arbitrary computations. Haskell-style lazy evaluation is used to evaluate 
these recursive definitions: a strong, forward reference to a recursively-defined variable x is 
not an error, but causes the definition of x to be evaluated at this point. In the application 
scenario considered by Syme, namely interfacing with libraries written in object-oriented 
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languages, no compile-time information is available on dependencies and object sizes, ren- 
dering our approach inapplicable and essentially forcing the use of lazy evaluation. However, 
lazy evaluation has some additional run-time costs and makes evaluation order hard to guess 
in advance. 

Nordlander, Carlsson and Gill [24] describe an original variant of the in-place update 
scheme where the sizes of the recursively-defined values need not be known at compile- 
time. Consider a reciu-sive definition recx = e. The variable x is first bound to a unique 
marker; then, e is evaluated to a value v; finally, the memory representation of v is recur- 
sively traversed, replacing all occurrences of the unique marker with a pointer to v. This 
recursive traversal can be much more costly than the updating of dummy blocks performed 
by the in-place update scheme: a naive implementation runs in time 0{N) where is the 
size of the value v. (This size can be arbitrarily large even if the evaluation of e is trivial: 
consider recx = Cons / x where / is a 10* element list previously computed.) Assuming 
linear allocation and a copying garbage collector, the traversal can be restricted to blocks 
allocated during the evaluation of e, resulting in a reasonable complexity 0(min(A'^,M)) 
where M is the number of allocations performed by the evaluation of e. However, this im- 
provement seems impossible for memory managers that perform non-Unear allocation like 
those of OCaml and F#. 

Mutually-recursive definitions of functions (syntactic A -abstractions) is a frequently- 
occurring special case that admits a very efficient implementation [18,1]. Instead of allo- 
cating one closure block for each function, containing pointers to the other closure blocks, 
it is possible to share a single memory block between the closures, and use pointer arith- 
metic to recover pointers to the other closures from any given closure. No in-place update 
is needed to build loops between the closures. We believe that this trick could be combined 
with a more general in-place update scheme to efficiently compile recursive definitions that 
combine syntactic A -abstractions and more general computations. However, significant ex- 
tensions to Aa would be needed to account for this approach. 

7 Conclusions and future work 

In this article, we have developed the first formal semantic accoimt of the in-place update 
scheme, and proved its ability to implement faithfully an extended call-by-value recursion 
construct, as characterized by our source language Ao . 

At this point, one may wonder whether Ao embodies the most powerful call-by-value 
recursion construct that can be compiled via in-place update. The answer is no, because of 
the requirement that the sizes (of definitions that are forward-referenced) be known exactly 
at compile-time. In a context of separate compilation and higher-order functions, often the 
only thing that the compiler knows about definitions is their static types. With some data rep- 
resentation strategies, the sizes are functions of the static types, but not with other strategies. 
For example, the closures that represent function values can either follow a "two-block" 
strategy (a closure is a pair of a code pointer and a pointer to a separately-allocated block 
holding the values of free variables) or a "one-block" strategy (the code pointer and the val- 
ues of the free variables are in the same block). With the two-block strategy, all definitions 
of function type Ti T2 have known size 2; but with the one-block strategy, the size is 1 -|-« 
where n (the number of free variables) is not reflected in the function type and is therefore 
difficult to guess at compile-time. 

There are several ways to relax the size requirement and therefore increase the usability 
of Ao as an intermediate language. First, one could permit values of size smaller than ex- 
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Variable: 
Name: 



X 6 vars 
X e names 



Expression: 



e G expr ::= x \ Xx.e \ ei 62 A-calculus 

I {r} I e.X Record operations 
I rec bine Recursive definitions 



Record row: 
Binding: 




Size indication: 



Fig. 29 Syntax of generalized Ao 

pected to fill the pre-allocated blocks. In this case, updating a pre-allocated block changes 

not only its contents but also its size, an operation that most memory managers support well. 
All we now need to determine statically is a conservative upper bound on the actual size. For 
example, if the type of a definition is a datatype (sum type), we can take the maximum of the 
sizes of its constructors. In the case of one-block closures, we can allocate dunrmiy blocks 
with a fixed size, say 10 words, and instruct the compiler to never generate closures larger 
than this, switching to a two-block representation for closures with more than 9 free vari- 
ables (such closures are uncommon). This simple extension can be formalized with minimal 
changes to Ao, Aa and the proofs presented in this paper. 

Another way to relax the size requirement is to notice that the sizes of pre-allocated 
blocks do not need to be compile-time constants: the in-place update scheme works just as 
well if these sizes are determined by run-time computations that take place before the recur- 
sive definition is evaluated. For example, in the encoding of mixins outlined in Section 2.4.2, 
each component of a mixin could be represented not just as a generator function /, but as a 
pair (n,/) where n is the size of the result of /. The recursive definition implementing the 
close operation could, then, extract these sizes n from the run-time representation of the 
mixin and use them to pre-allocate dummy blocks. 

In preparation for future work, we now sketch an extension of Ao where the size indica- 
tions over bindings are no longer compile-time constants but arbitrary expressions. Figure 29 
gives the syntax of this extended language. In bindings, the size indications are all evalu- 
ated before the evaluation of definitions begins, and cannot refer to the recursively defined 
variables. 

From the standpoint of compilation, we beheve that in-place update applies straight- 
forwardly. However, a serious issue with this extension is how to ensure statically that the 
predicted sizes are correct: given a definition x =[(,j] 62, we would like to guarantee that ei 
will evaluate to a value of size the value of ei . If ei is an arbitrary expression, a type system 

or another static analysis can not try and evaluate ei because this would make it undecid- 
able. Instead, we have to find static means of ensuring the validity of definitions in the useful 
cases. 

For this, we plan to start from Hirschowitz's type system for Ao [12] and extend it with 
dependent product types and a special sized type Sized„(T), denoting the set of values of 
type T and of size v. Given n and e of size n, one could give a dependent product type to 
the pair {n,e), namely {x : int, S±zedx{T)). Conversely, take for example a dependent pair 
e of type {x : int,Zi — > Sized;c(T2)), the expression (siid(e) e') has size fst(e), and this 
can be checked statically. This guarantees that the definition x =[f st(e)] (snd(e) e') is correct 



w.r.t. sizes. 



61 



Acknowledgements The authors warmly thank the anonymous referees for their detailed comments and 
helpful suggestions for improving the presentation. 



References 

1. Appel, A.W.: Compiling with continuations. Cambridge University Press (1992) 

2. Ariola, Z.M., Blom, S.: Skew confluence and the lambda calculus with letrec. Annals of pure and applied 
logic 117(1-3), 95-178 (2002) 

3. Boudol, G.: The recursive record semantics of objects revisited. Journal of Functional Programming 
14(3), 263-315 (2004) 

4. Boudol, G., Zimmer, P.: Recursion in the call-by-value lambda-calculus. In: Z. Esik, A. Ingdlfsddttir 
(eds.) Fixed Points in Computer Science, BRICS Notes Series, vol. NS-02-2, pp. 61-66 (2002) 

5. CardeUi, L.: A semantics of multiple inheritance. In: G. Kahn, D. MacQueen, G. Plotkin (eds.) Semantics 
of Data Types, Lecture Notes in Computer Science, vol. 173, pp. 51-67. Springer (1984) 

6. Cousineau, G., Curien, P.L., Mauny, M.: The categorical abstract machine. Science of Computer Pro- 
gramming 8(2), 173-202 (1987) 

7. Crary, K., Harper, R., Puri, S.: What is a recursive module? In: Programming Language Design and 
Implementation, pp. 50-63. ACM Press (1999) 

8. Dreyer, D.: A type system for well-founded recursion. In: Principles of Programming Languages, pp. 
293-305. ACM Press (2004) 

9. Dreyer, D.: A type system for recursive modules. In: International Conference on Functional Program- 
ming, pp. 289-302. ACM Press (2007) 

10. Erkok, L., Launchbury, J.: Recursive monadic bindings. In: International Conference on Functional 
Programming, pp. 174-185. ACM Press (2000) 

11. Gosling, J., Joy, B., Steele, G., Bracha, G.: The Java Language Specification, Third Edition. Prentice-Hall 
(2005) 

12. Hirschowitz, T.: Mixin modules, modules, and extended recursion in a call-by-value setting. Ph.D. thesis. 
University of Paris Vll (2003) 

13. Hirschowitz, T: Rigid mixin modules. In: Y. Kameyama, P. Stuckey (eds.) Functional and Logic Pro- 
gramming. Lecture Notes in Computer Science, vol. 2998, pp. 214-228. Springer (2004) 

14. Hirschowitz, T., Leroy, X.: Mixin modules in a call-by- value setting. ACM Transactions on Programming 
Languages and Systems 27(5), 857-881 (2005) 

15. Hirschowitz, T, Leroy, X., Wells, J.B.: Compilation of extended recursion in call-by-value functional 
languages. In: Principles and Practice of Declarative Programming, pp. 160-171. ACM Press (2003) 

16. Hirschowitz, T., Leroy, X., Wells, J.B.: Call-by-value mixin modules: Reduction semantics, side effects, 
types. In: D.A. Schmidt (ed.) Programming Languages and Systems, 13th European Symposium on 
Programming, ESOP 2004, Lecture Notes in Computer Science, vol. 2986, pp. 64-78. Springer (2004) 

17. Kelsey, R., Clinger, W.D., Rees, J.: The revised^ report on the algorithmic language Scheme. SIGPLAN 
Notices 33(9), 26-76 (1998) 

18. Kranz, D., Kelsey, R., Rees, J., Hudak, P., PhUbin, J., Adams, N.: ORBIT: An optimizing compiler for 
Scheme. In: Symposium on Compiler Construction, pp. 219-233. ACM Press (1986) 

19. Lang, F, Dougherty, D., Lescanne, P., Rose, K.: Addressed term rewriting systems. Research report 
RR1999-30, ENS Lyon - LIP (1999) 

20. Leroy, X., Doligez, D., Garrigue, J., Rfimy, D., VouUlon, J.: The Objective Caml system release 
3.10, documentation and user's manual. Available on the Web, http://caml.iiiria.fr/pub/docs/ 
manual- ocaml/ (2007) 

21. Leroy, X., Doligez, D., Garrigue, J., VouUlon, J.: The Objective Caml system. Software and documenta- 
tion available on tiie Web, http : //caml . inria . f r/ (1996-2008) 

22. Mihier, R., Tofte, M., Harper, R., MacQueen, D.: The Definition of Standard ML (revised). The MIT 
Press (1997) 

23. Moggi, E., Sabry. A.: An abstract monadic semantics for value recursion. Theoretical Informatics and 
Applications 38(4), 375^00 (2004) 

24. Nordlander, J., Carlsson, M., Gill, A.: Unrestricted caU-by-value recursion. In: ACM SIGPLAN Work- 
shop on ML. ACM Press (2008). To appear 

25. Peyton Jones, S. (ed.): Haskell 98 Language and Libraries, the revised report. Cambridge University 
Press (2003) 

26. Plotkin, G.D.: Call-by-name, caU-by-value and the A,-calculus. Theoretical Computer Science 1(2), 125- 
159 (1975) 



62 



27. Russo, C.V.: Recursive structures for Standard ML. In: International Conference on Functional Program- 
ming, pp. 50-61. ACM Press (2001) 

28. Sewell, P., Stoyle, G., Hicks, M., Bierman, G., Wansbrough, K.: Dynamic rebinding for marshalling and 
update, via redex-time and destruct-time reduction. Journal of Functional Programming 18(4), 437-502 
(2008) 

29. Shivers, O.: Control-flow analysis in Scheme. In: Programming Language Design and Implementation 
1988, pp. 164-174. ACM Press (1988) 

30. Syme, D.: Initializing mutually referential abstract objects: The value recursion challenge. In: Proceed- 
ings of the ACM-SIGPLAN Workshop on ML (ML 2005), Electronic Notes in Theoretical Computer 
Science, vol. 148(2), pp. 3-25. Elsevier (2006) 

31. Waddell, O., Sarkar, D., Dybvig, R.K.: Fixing letrec: A faithful yet efficient implementation of Scheme's 
recursive binding construct. Higher-Order and Symbolic Computation 18(3/4), 299-326 (2005) 

32. Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Information and Computation 
115(1), 38-94 (1992) 



